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PREFACE 


The Orbiter subsystem hardware/software interaction analysis examines software 
interaction with hardware failure modes. Each failure mode identified in 
subsystem FMEA (failure mode and effects analysis) is examined for interaction 
with software. The analysis is based upon key questions which identify potential 
issues. These potential issues are to be resolved by providing rationale for 
retention or identifying and implementing changes to eliminate the issue. 

The figure on the following page illustrates the relationship of the 
hardware/software interaction analysis to the verification process which leads to 
the statement of flight readiness. As shown, the analysis is a supporting item 
which is a portion of the data base utilized by the FRAT's (flight readiness 
assessment teams) and the associated SEAM (Systems Engineering Assessment 
Meeting) teams in planning and controlling the verification process. The overall 
issue of hardware/ software interface compatibility is addressed by the verifica- 
tion process itself. The analysis scope is limited to examination of single 
failure modes, as identified in the FMEA, and the interaction of these failure 
modes with the software as reflected by the software requirements . 

The hardware/software interaction analysis is performed on a preliminary basis by 
the JSC Reliability Division. Results are then coordinated with JSC engineering 
and Rockwell /Space Systems Group engineering and reliability to obtain inputs and 
approval signatures. The approval sheet for the Forward Reaction Control System 
are presented below. The Rockwell signatures represent their review of -the open 
issues and risks, if any, performed against the summarization of the analysis. 
Section 5.0 presents the analysis summary which groups the failure modes by 
similar retention rationale and is a convenience in identifying groups of failure 
modes in which the analysis is similar. The reviews with Rockwell did not cover 
each checklist. The minutes presented in the appendix document the nature and 
depth of the Rockwell analysis review. 

This analysis verified that no open issues remain. 


Joseph H. Levine 
W. Chief, Reliability Division 


Approved: 
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1.0 INTRODUCTION . This report documents the results of the analysis of the 
hardware/software interaction analysis for the Forward Reaction Control System. 
This analysis examines the interaction between hardware failure modes and 
software in order to identify associated issues/risks. These issues/risks are 
resolved through changes to software requirements to remove them, or surfaced to 
project/program management with appropriate retention rationale. 

2.0 SCOPE . All Orbiter subsystems and interfacing program elements which 
interact with the Orbiter computer flight software are analyzed. The analysis 
for each subsystem or interfacing element is presented in a separate volume of 
this report (see section 3.1). 

The analysis examines failure modes identified in the subsystem/element FMEA 
(failure mode and effects analysis). Potential interaction with software is 
examined through evaluation of the software requirements, not detailed 
implementation. The analysis is restricted to flight software requirements only, 
and excludes utility/checkout software. The BFS (backup flight system) software 
is considered only as necessary, and only as it differs from the primary; the 
basic thrust of the analysis is keyed to the primary system. 

The analysis is based upon the hardware design and software requirements as they 
existed as of the date of the analysis. Future updates will be published as 
necessary to incorporate changes to either the hardware or software. 

3.0 APPLICABLE DOCUMENTS. 


3.1 HARDWARE/SOFTWARE INTERACTION ANALYSIS REPORT VOLUMES. The hard- 
ware/software interaction analysis results are reported on a subsystem basis, 
each in a separate volume. The separate volumes which make up this report are as 
f ol 1 ows : 


Volume 


Subsystem 


I 

II 

III 

IV 

V 

VI 

VII 

VIII 

IX 

X 

XI 

XII 

XIII 

XIV 

XV 

XVI 

XVII 


Purge, Vent, and Drain 

Payload Deployment and Retention 

Payload Bay Doors 

Main Propulsion 

Data Processing Subsystem 

Hydraul ics 

Auxiliary Power Unit 
Reaction Control 
Electrical Power 
Orbital Maneuvering 

Environmental Control and Life Support 
Integrated Avionics 

Electrical Power Distribution & Control 

6NC (Guidance, Navigation & Control) Support 

Displays & Controls 

Communications & Tracking 

Instrumentation 
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3.2 REFERENCE DOCUMENTS. The primary documents used in performing the analysis 
included the following: 

a. SD75-SH-0016A, "Failure Mode Effects Analysis, Forward Reaction 
Control Subsystem," Dec 18, 1978. 

b* JSC 11174, "OV-102 Space Shuttle Systems Handbook," September 22, 


c. SD76-SH-0026A, "Functional Subsystem Software Requirements, Sequence 
Requirements," March, 1978. 

d. SD76-SH-0020, "Functional Subsystem Software Requirements, Displays 
and Controls," February 1, 1978. 

e. SD76-SH-Q027D, "Functional Subsystem Software Requirements, Systems 
Management," October 16, 1978. 

f. MG038103, "Backup Flight System Management/Special Processes and 
Sequencing Program Requirements Document," December 20, 1978. 

g. SD75-SH-0010E, "Functional Subsystem Software Requirements, Redundancy 
Management," dune 1, 1979. 

4.0 DESCRIPTION . 

4.1 GROUND RULES. The hardware software analysis is performed according to the 
following ground rules: 

a. The hardware/software analysis will be limited to investigating the 
software interaction with the failure modes of the hardware as delineated in the 
subsystem FMEA's. 

b. Software interaction will be limited to involvement of software of the 
onboard computers. 

c. Only failure modes of hardv/are with software interfaces (software 
monitoring and/or software control) are analyzed. 

d. The software detection must be considered with respect to each phase 
of the mission [prelaunch (OPS 1 only), ascent, onorbit, and entry]. 

4.2 ANALYSIS CHECKLIST. The basic tool for the analysis is the checklist 
(figure 4-1). A separate checklist is used for each failure mode analyzed. Note 
that the "FMEA Number" in the heading refers to the FMEA document number, not the 
page number on which the failure mode is treated. 

The checklist consists of three sections: Body, change/retention rationale 

summary, and expl anation/comments. Each of these sections is dicussed below. 
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SUBSYSTEM 
ITEM 

1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES PI *NO P] 

IN-FLIGHT DETECTABILITY? ^ 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES P] NO PI 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *Y£S Fl NO [~| 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES fl HO H 

INDUCE ANOTHER FAILURE? ^ 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES H NO Pf 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 □ *!□ eH 

ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED H/A P]YESr]NOn 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 

CHANGE/RETENTION RATIONALE SUMMARY , 

1.0 NO H/S ISSUES 3.0 NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.0 HARDWARE ACCEPTS RISK 4.0 DETECTION DURING CHECKOUT S. £□ RECOMMENDED CHANGES BELOW 


□ FHEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS: 


Figure 4-1. Hardware/Software Analysis Checklist. 


YES U*NO □ 
YES O *N0 □ 


3. 
3a • 

4. 

5. 


YES □ NO □ 
*YES □ NO Q 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 

FMEA NUMBER - 

FAILURE MODE 
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The questions in the checklist body are answered using the following guidelines: 

a. Question 1. Will the information provided to the onboard software and 
the processing of that information cause annunciation of the failure and/or 
initiation of a corrective action in response to this failure mode? 

b. Question la. Answer question la. if the answer to question 1 is "no." 
Information available to the software could be in the form of (1) sensor data 
used by onboard software but not for automatic fault detection (data used in 
software routines or fault detection available through callup or dedicated 
displays); (2) system and/or subsystem performance parameters; or (3) 
measurements which are downlisted. Answer "yes" if such information could be 
used to annunciate the failure condition or initiate responsive action. In 
explanation comments, specifically identify the information available for 
software detection. 

c. Question 2. If all of the following questions are answered "no," 
check the "no" block and explain the difference in the expl anation/comments 
section: 

(1) Are the master measurements listed under "Failure Detectability 
In-flight" on the FMEA (1) used by the onboard software in detecting time 
critical failures (if routed to GPC), or (2) used by the onboard software in 
annunciating non-time critical failures via callup displays, or (3) downlisted 
for non-time critical failures? 

(2) Are other measurements, dedicated displays, crew detection, and 
system/ subsystem parameters available or able to detect this failure mode? 

(3) If "failure detectability in-flight" specifies only software 
action, does the software actually initiate the corrective action as called out 
in the "corrective action" portion of the FMEA? 

d. Question 3. The question considers only the cases wherein, the 
software determines a failure. 

e. Question 3a. Answer question 3a if the answer to 3 is "no." If the 
answer to 3a is "yes," call out the possible corrective action in the 
explanation/comments section. 

f. Question 4. The question is considered for both the detected and the 
undetected failure. The overstress or inducement of another failure may be 
acceptable action. Overstress by software is improper commands, sequencing, or 
timing resulting in action exceeding hardware design requirements or exposing 
hardware to excessive environments. 

g. Question 5. The question is considered for both the detected and the 
undetected failure. Limit adverse effects to effects directly resulting from 
software commands or subsequent actions resulting from erroneous inputs as a 
result of the failure. 

h. Question 6. The hardware/software may change the method of detection 
and/or correction after the first or the second failure; consider this in 
answering the question. Determine if the software will be able to use the 
redundance of the hardware. If the hardware/software interaction following the 
particular failure mode changes the criticality, in comparison to the FMEA, check 
the box provided in the summary section of the checklist. 
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i. Question 7. If crew action is not required to respond to the failure, 
check the "N/A" block. Cues which provide inputs to the crew include but are not 
limited to cathode-ray tube annunciation, caution and warning, visual cues, 
audible cues, callup and dedicated displays, subsystem status data, panel meters, 
etc. 


j. Question 8. A and 8.B. Answer these questions only if either question 
1 or 3 is “yes." 

(1) Question 8. A. Consider that the failure occurs while the 

vehicle is being flown using the primary system. What will happen if the BFS 

must be engaged subsequent to the failure? Will the fact that the failure has 

occurred prevent the BFS from operating properly, under any conditions? A "no" 
answer is a potential issue (requiring explanation) only if the BFS can normally 
tolerate the failure (when it occurs during BFS operation). 

(2) Question 8.B. Consider that the failure occurs while the 

vehicle is under BFS control. A "no 11 answer is an issue (requiring explanation) 
only if the BFS response differs from that for the primary system. 

4.2.2 Change/Retention Rationale Summary. Each failure is assigned to one of 
six possible groups, based upon the answers obtained in the checklist body. 
Boxes are provided to indicate the category assigned. Figure 4-2 presents the 
criteria for group assignment. 

A box is also provided to indicate that changes are required to the FMEA. The 
FMEA evaluation of in-flight detectability is sometimes inaccurate and requires 
change. In addition, other errors (e.g., incorrect criticality assignment or 
incorrect evaluation of redundancy screens) are occasionally noted during the 
analysis and are documented here. 

A space is provided to detail acceptance rationale, change recommendations, or 
suggested FMEA changes. This space may also be used to provide a short general 
comment to expand the retention rationale grouping. 

4.2.3 Expl anati on/Comments . Each question answered by checking a box identified 
with an asterisk is discussed in this section. The circumstances for checking a 
box not identified with an asterisk are discussed, and the rationale for not 
making such a change is presented, if applicable. This section may also be used 
to explain, expand, or qualify answers. Each discussion is identified with the 
corresponding question number. 

4.3 ANALYSIS SUMMARY. The analysis results are summarized on the basis of 
retention rationale grouping and recommended changes/retention rationale. Figure 
4-3 depicts the form utilized for this purpose. A particular retention rationale 
definition, acceptance rationale statement, or recommended change is listed in 
the left column, with the applicable failure modes listed on the right. The 
issue/risk is briefly described with acceptance rationale or software 
requirements change recommendation. The summary provides a basic overview of the 
total analysis results. 

5.0 ANALYSIS SUMMARY SHEETS . The analysis results are summarized on the 
following sheets. The failure modes have been grouped by issue/retention 
rationale (or change), affording an overview of the results for the entire 
subsystem. 
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CHANGE /RETENTION RATIONALE 


1. NO * CHECKED - NO HARDWARE/SOFTWARE ISSUES ARE APPARENT FROM THE ANALYSIS. 
SYSTEM IS FAIL OPERATIONAL/FAIL SAFE WITH RESPECT TO THIS FAILURE MODE UNDER 
CURRENT DESIGN. 

2. ONLY * CHECKED ON QUESTION 6 - NO HARDWARE/ SOFTWARE ISSUES ARE APPARENT FROM 
THE ANALYSIS. RISK HAS BEEN ACCEPTED VIA HARDWARE CIL. 

3. ONLY * (YES) CHECKED ON QUESTION la - NO SOFTWARE DETECTION IS PROVIDED. 

FAILURE EFFECT IS NOT TIME CRITICAL. FAILURE MAY BE DETECTED BY OTHER MEANS 

OR FUNCTION IS NOT MISSION/SAFETY CRITICAL. 

4. * CHECKED ON QUESTION 3a - * ON la MAY OR MAY NOT BE CHECKED - SOFTWARE DOES 

NOT TAKE CORRECTIVE ACTION FOR FAILURE. FAILURE EFFECT IS NOT TIME 
CRITICAL. CORRECTIVE ACTION MAY BE INITIATED BY CREW. PLANNED CHECKOUT 
ACTIVITIES WILL DETECT FAILURE. SYSTEM IS FAIL OPERATIONAL/FAIL SAFE 

WITHOUT SOFTWARE DETECTION AND CORRECTION. 

5. STANDARD RETENTION RATIONALE DOES NOT APPLY. SPECIFIC RETENTION RATIONALE 
IS SUMMARIZED FOR THIS FAILURE. 

6. ISSUES IDENTIFIED AND CHANGES ARE DESIRABLE. SPECIFIC CHANGES ARE 

SUMMARIZED. 

NOTE: DO NOT CONSIDER ANSWER TO QUESTION 2 IN DETERMINATION OF 

CHANGE/RETENTION RATIONALE SUMMARY CODE. CONSIDER RESPONSES TO BOTH 
QUESTION 2 AND 6 IN DETERMINING WHETHER AN FMEA CHANGE IS REQUIRED. 


Figure 4-2. Change/Retention Rationale 
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Figure 4-3. Hardware/Software Analysis Summary 


HARDWARE/ SOFTWARE ANALYSIS SUMMARY 

SUBSYSTEM 

ANALYSIS RESULT ITEM/FAILURE MODE 


FMEA 




HARDWARE/SOFTWARE ANALYSIS SUMMARY 


FMEA SD75-SH-0016A 


SUBSYSTEM Forward Reaction Control 

’ ANALYSIS RESULT ' ITEM/ FA I LURE MODE 


HARDWARE ACCEPTS RISK Helium Storage Tank - Rupture (03-2F-101010-1 ) 

Helium Feedline - External Leakage (03-2F-1 01013-1 ) 

Quick Fill Disconnect, He - Fails Open, Cap Leaks (03-2F-1 01 070-1 ) 

Test Quick Disconnect, Propellant - Ext. Leakage/Flight ( 03-2F-1 01 090-1 ) 
Propellant Line Flex Assy. - External Leakage (03-2F-1 021 06-1 ) 

Feedline and Fittings - External Leakage (03-2F-1 021 08-1 ) 

- AC Motor Operated Valve (Tank) - Fails Closed (03-2F-1 021 20-1 ) 

Quick Disconnect - External Leakage (03-2F-1021 50-1 ) 

DC Solenoid Operated Valve - Fails Closed - Premature Operation 
' (03-2F-1 021 70-1) 

Tank Assembly and Propellant Acquisition Device - Small Crack - External 
Leakage (03-2F-1 11110-2) 

Tank Assembly and Propellant Acquisition Device - Restricted Flow 
(03-2F-111110-3) 

Tank Assembly and Propellant Acquisition Device - Loss of Gas in 
Propellant Acquisition Device (03-2F-imi0-4) 

Flex Line and Fittings - External Leakage ( 03-2F-1 21308-1 ) 

Thrust Chamber - Burn Through (03-2F-1 2131 2-1*) 

Nozzle Extension - Burn-Through (03-2F-1 21313-1 ) 

Vernier Thruster - Erratic Operation ( 03-2F -73131 0-3 ) 

Vernier Thruster - Burn-Through (03-2F-131310-4) 

Helium Pressure Regulator - Fails Closed (03-2F-1 01 030-2) 

Tank Assembly and Propellant Acquisition Device - Large Rupture 
(03-2F-1 1111 0-1 ) 

Purge Quick Disconnect, Propellant - External Leakage During Flight 
(03-2F-1 01 080-1 ) 

Helium Quad Check Valve - Fails Closed (03-2F-1 01095-2) 

Vernier Thruster - Loss of Output (03-2F-1 31 31 0-1 ) 




HARDWARE/SOFTWARE ANALYSIS SUMMARY 


SUBSYSTEM RoArfi rin Pnn - f*v'rv1 

FMEA SD75-SH-0016A 

. . i Hi ¥¥0,1.1 U.U — U*U 14-LUU-t— 


'• ANALYSIS RESULT 

ITEM/ FAILURE MODE 

NO HARDWARE/SOFTWARE ISSUES 

! 

i 

1 

! 

D.C. Solenoid Valve - Fails to Close (03-2F-1 01 020-3) 

D.C. Solenoid Valve - Fails Closed (03-2F-1 01 020-4) 

Helium Pressure Regulator - Fails Open (03-2F-1 01030-1 ) 
Relief Valve - External Leakage Overboard ( 03-2F-1 01 060-1 ) 
Relief Valve - Burst Disc Ruptures ( 03 -2F-1 01060-2) 

Relief Valve - Fails to Burst ( 03-2F-1 01 060-3 ) 

"Relief Valve - Opens Low (03-2F-1 01060-4) 

Relief Valve - Fails to Open (03-2F-101060-5) 

Helium Quad Check Valve - Fails Open (03-2F-1 01 095-1 ) 
Injector Plate - Mixture (03-2F-1 21 31 1 -1 ) 




SUBSYSTEM Forward Reaction Control 


HARDWARE/SOFTWARE ANALYSIS SUMMARY 


FMEA SD75-SH-0016A 


' ANALYSIS RESULT 

ITEM/FAILURE MODE 

OUT OF SCOPE - GROUND ONLY . 

_i 

o 

1 

Manual Valve - Fails Closed or Open (03-2F-1 01 050-1 ) 

Manual Valve - Internal Leakage ( 03-2F -1 01 050-2 ) 

Quick Fill Disconnect, He. - Fails Closed/Ground OPS (03-2F-101070-2) 

Purge Quick Disconnect, Propellant - Fails Closed/Ground OPS. 

(03-2F-1 01 080-2) 

Test Quick Disconnect, Propellant - Fails Closed/Ground Ops 
, (03-2F-1 01090-2) 

Quick Disconnect - Fails Closed/Ground Ops. (03-2F-102150-2) 






6.0 ANALYSIS CHECKLIST SHEETS 

Following are the analysis checklist sheets for each failure mode evaluated. 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 010-1 
SUBSYSTEM' Fwd Reaction Control FMEA HUMBER SD75-SH-OQ1 6A 

ITEM Helium Storage Tank FAILURE RODE Rupture 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
- ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO CUESTIOilS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
{EITHER BY COMMANDING HARDWARE ACTION' OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS ' 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? - . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATIQN REQUIRED (SEE BELOW) 


YES 0 NO □ 
*YES □ NO P 
YES 0 *NO Q 
YES P NO JT) 
*YES □ NO [X] 

*YES P NO 23 
*YES P NO (Tf 

*0 0 *lQ 2p 

N/A pYESfriNOp 


YES P*KO □ 
YES P*NO □ 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. [Xj HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLAHATION/COMMEHTS: 


1. GAX will give a class 2 alert upon sensing an out-of- tolerance condition. (^500 psi) 
Gross leak detection will give a class 2 alert. 


8. Backup flight system same as primary. 


SHUTTLE FA IL URL MODE AMD EFFECTS ANALYSIS - ORBITER 1C2 


SUBSYSTEM : FWO - REACTION' CQMTROL 

ASSEMBLY : PRESSURIZATIONS 

°/M R I :hC28Z— GG82— GC3 1/-0032 

P/N VENDOR : S LD— 99 9040 

QUANTITY 12 

JUNE REO’D PER EACH 
: PROPEL LAM TANK 

FAILURE DETECTABLE IN FLIGHT?. YES 
PRESSURE INDICATION 
1 113C 


FMt A NO 03—2 F -IdOIC-I REV:iZ/JLE/7 
A SORT : CK1T . FuNC: i 

CHIT. HWu: I 

MISSIONS: HF ‘ VF X FF OF SM 
PHASt(S): PL X LG X GO X CU X LS 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: C 

REDUNDANCY SCREEN: A-N/A E-N/A C-N/A 

TIME TO EFFtCT: 

IMMED IaTE/SECONuS 
REFERENCE OUCuMLNTS: 


V4-2P— 11 ICC 


MJ070-CCSl-Cie 

GROUND TURNAROUND? YES S072-SH-01 03- 2 

SAME AS FLIGHT VS70-4Z1001 


PR'- PA RED 
DES 
REL 


BY: 


J TAGC-ART 
R DIEHL 


APPROVED oY: 

DES __ 
REL 


.item: Tank 

HELIUM STORAGE, FILAMENT WOUND. 

.FUNCTION: 

. TO STORE HELIUM AT A MAX WORKING PRESSURE OF 4C00 PS I FOR 

PRESSURIZATION OF ThE FWO RCS MODULE PROPELLANT SUPPLY SYSTEM. TANK 
CONSISTS OF A DOUBLE MELT T1 LINER WITH DUPONT 49 FIBER A NO EPOXY RfcSIN 
BONDING OVER WRAP. 

.failure mode: rupture, external leak <s) 

. RUPTURE - LARGE CKACK WHICH PROROGATES AROUND TANK IMMEDIATELY. 

Lu.AKA.Gc — FRACTURE WHICH DOES NOT PROROGATE TG RUPTUkL. 

.CAUSE (S ) : 

. VIBRATION, STRESS CORROSION, TEMP. RISE, FATIGUE, INADVERTENT 
OVER— PRES SURIZATIQM (GROUND OPS). 

.EFFr.CT(S): ON (a)SUBSYSTEM ( id ) INTERFACES (OMISSION (0 )CR EW/VEhl CLc: 

(A) LOSS OF PRESSURIZATION TO FUEL OR OXIDIZER. (6) EXPLOSIVE 
. EXPANSION OF HELIUM WITHIN RCS MODULE. (C) POTENTIAL LOSS OF 

MISSION-ABORT DECISION DEPENDANT ON EXTENT OF DAMAGE. ID) POTENTIAL 
LOSS OF CREW/VEHICLE. 

.CORRECTING ACTION: 

. NONE AVAILABLE EXCEPT POSSIBLE RESCUE IF VEHICLE STILL INTACi. 

• R ENAR NS /H A Z ARD S : 

. h aZARC CF SHRAPNEL PROPAGATION, HOWEVER, UTILIZATION Or FILaMENT WOUND 

Tank MINIMIZES OR eliminates this hazard, additional hazard of module 

QVtR PRESSURIZATION' STILL EXISTS. NU REDUNDANCY PROVIDED FOR Tr-IS IT tM 
- REFERENCE HAZARD 1YXX-0 302-02 . 



SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : PRE SSUR I ZAT I ON 
P/N RI : MC2 82--0 C82— 003 1 /— 0032 
P/N VENDCRrB LD— 999040 - 
QUANTITY : 2 

:0N 6 REQ’D PER EACH 
: PROPELLANT TANK 


FM5A NO 03-2F -101010-1 REV: 1 1/09/78 
ABORT: CRIT. FUNC: 1 

CRIT. HDw : L 

MISSIONS: HF VF -X FF OF SH 
PHASE! S) : PL X LO X 00 X DO X LS 


REDUNDANCY SCREEN: A-N/A 8-N/A C-N/4 


PREPARED BY: 

DES J TAGGART 

R5L - R DIEHL 




.ITEM: TANK 

» HELIUM STORAGE, FILAMENT HOUND. 

.FUNCTION: 

. TO STORE HELIUM AT A MAX FORKING PRESSURE OF 4003 PS I FOR 

PRESSURIZATION OF THE FKD RCS MODULE PROPELLANT SUPPLY SYSTEM- TANK 
CONSISTS OF A DOUBLE MELT TZ LINER WITH DUPONT 49 FIBER AND EPOXY RESIN 
BONDING OVER WRAP. 

.FAILURE MODE: RUPTURE, EXTERNAL LEAK t S > 

. RUPTURE - LARGE CRACK WHICH PROPOGA T S? AROUND TANK IMMEDIATELY. 

LEAKAGE.- FRACTURE WHICH DUES NOT PROROGATE TO RUPTURE. 

.CAUSE! S ) : 

. VIBRATION, STRESS CORROSION, TEMP. RISE, FATIGUE, INADVERTENT 
OVER— PRESS UR II ATI ON (GROUNO CPS). 

. EFFECT ( S ) : 0!) { A) SUBSYSTEM { B) INTERFACES (CJMISSICN ( D ) C P.EV./VEH I CL E: 

. (A) LOSS OF PRESSURIZATION TO FUEL CR OXIOIZER. (B) EXPLOSIVE 

EXPANSION OF HELIUM WITHIN RCS MODULE. tC) POTENTIAL LCSS OF 
MISSION— ABORT DECISION DEPENDANT ON EXTENT OF DAMAGE. (D) POTENTIAL 
LOSS OF CRELVVEHICLE. 

.DISPOSITION £ RATIONALE ( A ) DESIGN (BITES f (C 5 I INSPECTION { D ) F AILUR E HISTORY: 

- ! A ) FILAMENT WOUND TANKS ARE DESIGNED TO LEAK BEFORE RUPTURE WHICH 

LIMITS FAILURE PROPAGATION DUE TO SCHRAPNEL- INCREASED STRAIN 
CAPABILITY IS PROVIDED BY THE COMPRESSIVE LOAD ON AN UNP RES5URI ZED 
LINER. THE FACTOR OF SAFETY IS L.5 X MAX WORKING PRESSURE OF 4003 PSIG- 
DUAL SEALS ARE PROVIDED AT TANK FLANGE . (BJ TANKS ARE SUBJECTED TO 

PROOF PRESSURE Cl.lX WORKING PRESSURE) DURING ACCEPTANCE TESTING. QUAL 
TESTS INCLUDE 1000 PRESSURE CYCLES EQUAL TO 4 TIMES LIFE REQUIREMENT, 90 
DAY CREEP TEST AT MAX WORKING PRESSURE PLUS RANDOM VIBRATION AT 
ANTICIPATED MISSION LEVELS FOR 48 MIN IN EACH AXIS. (C) IN PROCESS 
'INSPECTION INCLUDES RADIO GRAPHIC INSPECTION OF WELDS £ FLUORESCENT 
PENETRATION INSPECTION FOR SURFACE FLAWS. TURNAROUND CYCLE FOR EVIDENCE 
OF RUPTURE- AUDIT CONDUCTED 2/9/7B VERIFIED SUPPLIER RECEIVING 
INSPECTION CDNTRGLS RAH MATERIAL AND PURCHASED COMPONENTS AND IN-HOUSE 
INSPECTION CONTROLS CORROSION PROTECTIVE PROVISIONS, TEST HANDLING 
STORAGE ENVIRONMENTS, MEASUREMENT STANDARDS, TEST EQUIPMENT, NDE 
TESTING® PARTS PROTECTION, MFG PROCESSES AND FINISHES. CHEMICAL ETCHING, 
X-RAY AND PROOF TEST OF LINER AND MECHANICAL PROPOERTIES AFTER HEAT 
TREAT ALSO VERIFIED BY INSPECTION. (D) NO HISTORY AVAILABLE. TANK IS 
BEING DEVELOPED FOR SHUTTLE PROGRAM.. 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-101013-1 

SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-0Q16A 

ITEM Helium Feedline FAILURE MODE External Leakaae_ 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT OETECTA6ILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING KARDUARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE 'MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HAROWARE/SOF1 WARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? • 

♦EXPLANATION REQUIRED (SEE BELOW) . 


YES jx] NO □ 
*YES □ NO □ 
YES 0 *NO □ 
YES □ NO QQ 
*Y£S Q NO [X] 

*Y£S □ NO 0 
*Y£S O NO [XJ 

. *o GO *iD 2D 

M/A [I|YES(X]NOn 


YES (Xj *N0 □ 

YES {X]*NO □ 


CHANGE/RETENTION- RATIONALE SUMMARY 
1,0 NO H/S ISSUES' ■ _ . 

2; CD HARDWARE ACCEPTS RISK 


. 3. D NO SOFTWARE DETECTION 
'4. CJ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE 8ELCW 

6. P RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. GAX will give a class 2 alert upon sensing an out-of-tolerance condition. (<500 psi) 
Gross leak detection will give a class 2 alert. 


Backup flight system same as primary. 
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ShUTTLE FAILURE MO DE AND EFFECTS ANALYSIS 


GRBI7ER 102 


SUBSYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : PRESSUKI 2ATION HELIUM - 
P/N R 1 : VC7Q— A2170 I 


FMEA NO C3-2F —101013—1 REV iii/CS/?. 
ABORT: CKIT . FuNC: i 

CP IT. HWJi 1 


P/N VcNDOP : 


MISSIONS: HF VF X FF CF $M 


QUANTITY : 2 PHASt(S): PL X LO X 00 X DO X lS X 

: ONE SET PER PROPELLANT NUMBER OF SUCCESS PATHS REMAINING 
: AFTER FIRST FAILURE: 0 

REDUNDANCY SCREEN : A-N/A t— N/A C-N/A 

FAILURE DETECTABLE IN FLIGHT?. YES TIME TD EFFECT: 

HELIUM TANK PRESSURE DRO P AT OFF -NOMINAL RATE; IMMEDIATE 

VA2P-U10C; 1I12C; 11I3C; 1114C KEFERcNCE DOCUMENTS: 


GROUND TURNAROUND? YES 

SAMt AS FLIGHT INSTRUMENTATION 


M J 07 0 —0 C 0 1 *-l 1 u 
S072— SFi— 0 1 03—2 
VS 70- '+2 10 01 


PREPARED 

DES 

R£L 


SY : 


A SI EG ELI K 
R DIEHL 


APPROVED bY: 

UcS 

RfcL 


.ITEM: HELIUM FEED LINE AND 
. FLUID FITTINGS. 

.FUNCTION: 

. 7U PROVIDE FEED LINE FROM HELIUM TANKS TO HELIUM 
REGULATION /PRESSURATION SYSTEM AND TO PROPELLANT 
TANKS.- 

.failure mode; external leakage is) 


.CAUSE (S ) : 

. MECHANICAL SHOCK t V ISRATI ON/FATlbUt, IMPROPER INSTALLATION tWELu). 
FLUID FITTING SEAL FAILURE. 

.EFFECT <S): ON (A) SUBSYSTEM (B ) INTERFACES (OMISSION ( D JCREW/VcH IC LL : 

. (A) LOSS OF HELIUM SUPPLY IF NOT' ISULaTAdLE. (IE. IF UPSTREAM GF 
. SOLENOID VALVE). <b) POTENTIAL GVERPR ES SUR IZ AT 1 ON OF FORWARD (OjJLc 

FROM GROSS LEAK. (C,D) POTENTIAL MODULE DAMAGE RESULTING IN LOSS OF 
. MISSION/ CREK'/VEHiCLt IF GROSS LEAK OCCURS DURING CRITICAL MaNEUVckS . 
.CORRECTING ACTION: 

. INITIATE ABORT. CHECK VALVES MAINTAIN PROPELLANT TANK RtSIDUAL GAS 
PRESSURE TO ALLOW POTENTIAL PLOW DOWN MODE UTILIZATION. 
.REMARKS/HAZARDS : 

. NO REDUNDANCY PROVIDED FOR LINES. IF LEAK RATE IS EXCESSIVE PRESSURE 
BUILO-UP IN MODULE MAY RESULT IN HAZARD. SEE HAZARD IYXX-0 aC'Z-lZ . 


ORIGINAL PAGE B 
OF POOR QUALITY 
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SHUTTLE CRITICAL ITEMS LIST - ORSITER 102 


SUBSYSTEM :PWO - REACTION CONTROL 
ASSEMBLY : P RESSUR TZ AT IQN HELIUM - 
P/N RI : V 07 0—421701 
P/N VENOOR: 

QUANTITY :2 

i ONE SET PER PROPELLANT 


FMEA NO 03— 2 F -101013-1 REV: 11/09/7 
ABORT: CP- IT. FUNC: 1 

CRIT. HOW: 1 

MISSIGNS: HF VF X FF OF SM 
PHASE ( S ) : PL X LO X CG X CO X LS X 


PREPARED 8Y:. 
DES 
REL 


A SIEGEL IN 
R DIEHL 


REDUNDANCY SCREEN: 
PROV£0» EY U 

s 


APPROV 
DE 

REL .JL. 



* 3 / 7 ? 


IT&5: HELIUM FEED LINE AND 
FLUID FITTINGS. 

FUNCTION: 

TO PROVIDE FEED LINE FRGM HELIUM TANKS TO HELIUM 
REGULAT ION/ PRES SURAT ION SYSTEM AND TO PROPELLANT 
TANKS. 

FAILURE MODE: EXTERNAL LEAKAGE IS) 


A-M/A 8-N/A C-N/A 

approved 
S SM 


/^CULK, 


^PROVED WITH CHANGES 
See Section 13.0 


w 

.CAUSE? S): 

. MECHANICAL S'KOCK* V I BRAT ION /FA f I GUE , IMPROPER INSTALLATION (WELD). 
FLUID FITTING SEAL FAILURE. 

.EFFECT! S3: ON ( Af SUBSYSTEM ( B 5 INTERFACES (OMISSION ( OJC^EW/VEH ICLE: 
. (A) LOSS OF HELIUM SUPPLY IF NOT I SOL A TABLE. (IE. IF UPSTREAM OF 


SOLENOID VALVE). (3) POTENTIAL OVERP RESSUR IZ A T 10 N OF F CP WARD MODULE 
FROM GROSS LEAK. (C*0) POTENTIAL MODULE DAMAGE RESULTING IN LGSS OF 
HI SSI ON/C RE'W/ VEHICLE IF GROSS LEAK OCCURS DURING CRITICAL MANEUVERS. 

.DISPOSITION S RATIONALE ( A ) DESIGN ( B 3 TEST ( C ) INSPECTION CD-) FAILURE HISTORY; 

. (A) FACTOR OF SAFETY OF A.O WILL MINIMIZE FAILURE POTENTIAL. FLUID 

FITTINGS HAVE DUAL SEALS. Vi ELD CONSTRUCTION REDUCES JOINTS AND POSSIBLE 
LEAK PATHS. FASTENING CLAMPS AND TUBE BEND DESIGN ALLOWS DEGREE OF 
MOVEMENT WHICH HELPS PREVENTING LEAKS. (B) POST INSTALLATION TEST AND 
OPERATIONAL CHECKOUTS WILL VERIFY SYSTEM INTEGRITY. ALL LINES 
SUBJECTED TO 1.25 PROOF TEST. (Cj IN PROCESS INSPECTION INCLUDES NOT £ 
LEAK CHECKS CURING INSTALLATION. TURNAROUND INSPECTION INCLUDES 
MONITORING FUNCTIONAL TESTS DURING PRESSURIZATION CYCLE FOR EVIDENCE OF 
LEAKS. WHERE ACCESSA8LE VISUALLY INSPECT FOR DAMAGE. HARDWARE 
INSPECTION IN ACCORDANCE WITH PLANNING RQMTS APPROVED 8Y NASA. (D) 

MINOR FAILURE HISTORY-CORROSION AND FAB PROBLEMS REPORTED DURING APOLLO 


PROGRAM AND CORRECTED. 

WITH APPLICABLE TMQ/TPC REQUIREMENT . HARDWARE INSPECTION IN ACCORDANCE 
WITH PLANNING RQMTS APPROVED- BY NASA. CO I MINOR FAILURE 
HISTORY-CORROSION AND FAB PROBLEMS REPORTED CURING APOLLO PROGRAM AND 
CORRECTED. 


] io£s 


S D 75 -SH -0003 



.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 020-3 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-001 6A 

P». C. Solenoid-JIal^e - Helium FAILURE MODE Falls to Close 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?. 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA. EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: . 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES □ NO fX} 
♦YES □ NO Q 
YES □ *N0 0 

YES □ NO [X] 
♦YES □ NO 0 

♦YES □ NO 0 
•» 

♦YES □ NO 0 
*0 □ *lQ 20 
N/A □ YES0NO0 


YES 0*NO □ 
YES 0*NO □ 


CHANGE/RETENTIQN RATIONALE 'SUMMARY 

1. EG NO ti'/S ISSUES 

2. □ HARDWARE ACCEPTS RISK ■ 


3.P NO SOFTWARE DETECTION 
4.0 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW* 

6. □ RECOMMENDED CHANGES BELOW 


In-Flight Detectability 

0 FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. Switch scan will detect failure in OPS-2 only and only on demand. 
May not be used on STS-1 . 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - OK 61 t ER 1C2 


SUBSYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : PRESSURIZATION 
P/N PI : MC 284-04 19—001 1/-0C 12 

P/N VENDOR.: 73825 
QUANTITY :4 

: TWO REQ'D PER PRESSURANT 
: FEED ASSEMBLY 


FMEA NO 03-2F -1C1020-3 
ABORT: 


R L- v : 03 /'Jo/7 . 


CRIT. FuNC: 
CRIT. HWD: 

MISSIONS: HF VF X FF L'F Stf 
PHASE(S): PL X. LO X UG X 00 X LS 
NUK3ER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 


REDUNDANCY SCREEN: A-PASS E-PaSS C~PaS: 


FAILURE DETECTABLE IN FLIGHT?. YES 
HELIUM TANK PRESS, V4 2P 11 1G ,1112 , 1113 ,1 114, 
AND PRESS LIME; V42P1115, II 16 AND POSITION IND . 
1 12CX ,1 12 2X ,112 AX ,112 t>X 

GROUND TURNAROUND? YES 

SAME AS FLIGHT INSTR. 


TIME TO EFFECT: 
SECONDS 

REFER E.NCc DOCUMENTS: 
VL7Q— 0C824 - 
M J O' 7 0 — G 0 0 1 - u 1 6 
S L) 72“ S h— 0 103—2 
VS70-421CG1 


PREPARED BY: 
LES 
RHL 


R BURKHART 
R DIEHL 


APPROVED 

DBS 

KcL 


&Y : 


.ITEM: VALVE ,D.C* SOLENOID 

. OPERATED, HIGH PRESSURE, HE (36CG-400G PSIAj SOLENOID ACTUATED, 
bl-STABLE, (1/2") ( LV 101/102/103/104). 

. C UNCT ION: 

. THESE VALVES ARE UTILIZED TC CONTROL HELIUM PRESSURIZATION OF The RCS 
MODULE. IN THE OPEN POSITION A FLOW PATH IS PROVIDED FROM THE HELIUM 
SUPPLY TANK(S) TO THE R EGULATuK ( S ) . TWO PARALLEL PATHS ARE PROVIDED 
FOR FUEL AND OXIDIZER. ONE PaTH IS NORMALLY OPEN PER TANK. (HE VALVE 
TO CLOSED AND PARALLEL VALVE OPENED SUBSEQUENT TU A DOWN STREAM 
FAILURE. 

.FAILURE MODE: FAILS TO CLOSE (F) 

. WHEN COMMANDED TO ISOLATE DOWNSTREAM FAILURES 

.CAUSE (S ) : 

. CONTAMINATION, VIBRATION, LOSS OF ELECTRICAL INPUT, IMPROPER OPENING 
ACTUATION, PIECE PART FAILURE. 

.EFFECT (S): ON (A) SUBSYSTEM ( B ) INTERFACES (OMISSION ( D )CR EW/VfchlCL t : 

. ( A, C,0) NO EFFECT, VALVE IS FUNCTIONED (CLOSED) ONLY SUBSEQUENT 10 A 

( o ) NO EFFECT, DOES NOT INTERFACE WITH UTHER 




. 2ND ORDER FAILURE. 

SUBSYSTEMS. 
.CORRECTING ACTION: 

. NONE - 
.REMARKS/HAZARDS: 

. NONE. 



-HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03- 2F-1 Ol 020-4 
SUBSYSTEM Fwd Reaction Control FMEA HUMBER SD75-SH-D016A 

ITEM D. C. Solenoid Valve - Helium FAILURE MODE Fails Closed 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES HO Q 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT. DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ HO H 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES 0 *H0 Q 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q NO {T] 

'(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 


3a. IF NOT, COES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES Q NO 0 

FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? . . 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YE$ □ NO Q 

INDUCE ANOTHER FAILURE? * - , . ‘ 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES □ NO 0 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 □ *lQ 2Q 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED H/A [I]YES|2]N0n 
- TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES (X]*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES {x]*NO □ 

‘EXPLANATION REQUIRED (SEE BELOW) . . 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. 0 HARDWARE ACCEPTS RISK 


3.0 NO SOFTWARE DETECTION 

4.0 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. ’0 RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXP LANAT I ON/COf 1MENTS: 


1. Switch scan will detect failure in OPS-2 only and only on demand. 
May not be used on STS-1. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


QRSIT Ei\ 102 


SUBSYSTEM : FWO - REACTION CONTROL 


FMEA NO 03-2F -101020-4 KEV :12/C’ty 7i 


ASSEMBLY : PRESSURIZATION ABORT: 

P /N ' R I : M C 28 4- 0 4 19 -0 C 1 1 / -0 C 1 2 


CHIT. F UNC : IR 

CKIT. hWD: 2 


P/M VENDOR : 73635 
QUANTITY :4 

: TWO REQ'D PER PR2SSURANT 
: FEED ASSEMBLY 


MISSIONS: HF VF X i-F OF SM 
PHASE(S): PL X LG X 00 X CO X LS 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAlLuRE: 1 


REDUNDANCY SCREEN: A-PASs b-PASS C-FAI1 

FAILURE DETECTA3LE IN FLIGHT?. YES TIME TO EFFtCT: 

MONITOR TANK PRESSURE AND POSITION INDICATION MINUTES 


V42X-1120X, U22X, I124X, 11Z6X 


REFERENCE DOCUMENTS: 


V170-GGS249 


GROUND TURNAROUND ? . . . YES 

SAME AS FLIGHT INSTR. 


MJ07C-GLC-1— GIB 
S 272- S H— 0 1 0 3—2 
VS70-421CC1 


PREPARED SY: 
DES 
REL 


R BURKHART 
R DIEHL 


APPROVED BY: 

DES 

kFL 


ITEM: VALVE , D .C . SOLENOID 


OPERATED, HIGH PRESSURE. HE (36GC-40C0 PSIA) SOLENOID ACTUATED, 
EI-STARLE, . (1/2" ) ( LV 101/102/103/ 1C4) . 


-UNCTION: 

THESE VALVES ARE UTILIZED TO CONTROL hELIUM PRESSURIZATION OF Trit RCS 
MODULE. IN THE OPEN POSITION A FLOW PATH IS PROVIDED FkOM THE HELIUM 
SUPPLY TANK ( S ) TO THE REGULATOR { S J . TWO PARALLEL PATHS aRE PROVIDED 
FOR FUEL AND OXIDIZER. ONE PATh IS NORMALLY OPEN PER TANK. The V'ALVt 
IS CLOSED AND PARALLEL VALVE OPENED SuS SECUENT TO a uONN SIREaM 

failure. 


.FAILURE MODE: FAILS CLOSED 


( F} 


.CAUSE (S ) : 

. VIBRATION, CONTAMINATION CONTINUOUS rNA OVERT ENT CLOSING SIGNAL l-Uc TO 
SHORT CIRCUIT, PIECE PART FAILURE. 

.EFFECT(S): uN (A) SUBSYSTEM ( 3 ) INTERFACES (OMISSION (D )CR E«/VEhIC lL: 

. (A) LOSS OF REDUNDANT PRESSURIZATION PATH. (8,0) NO EFFECT. (C) 

. ABORT DECISION DEPENDENT ON MISSION PHASE AND ELUWDOWN CAPABILITY. 
.CORRECTING ACTION: 

if caused by vibration, the valve may be capable of opening with a New 

COMMAND OR, SWITCH TO PARALLEL REGULATION PATH - COMMAND PAkALLEL 
ISOLATION VALVE OPEN. 

.REMaRKS/HAZARCS : 

. POTENTIAL HAZARD IN ABORT SITUATION. SEE CONSOLIDATED CONTROLS FMeA 
NUMBER 73633 FMEA 1. 
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SHUTTLE CRITICAL ITEMS LIST - ORB ITER 102 


SUBSYSTEM :FWO - REACTION CONTROL 
ASSEMBLY : PRE SSUR IZATI ON 
P/N RI :MC2 84-0419-001 I/-0012 
P/N VENDOR: 73835 


FMEA NO 
ABORT: 


03-2F 


QUANTITY 


PREPARED 

DES 

REL 


:4 

:TUO REQ'O PER 
:FEED ASSEMBLY 


MISSIONS: 
PHASE I S 3 : 


HF 

PL 


•10 L02Q-4 

CR IT . 
CRIT. 
VF X FF 
: LO X CO X 


REV: 12/03/' 
FUNC: 1R 

HOW i 2 
OF SM 
00 X LS 


PRESSURANT 


REDUNDANCY SCREEN: A-PASS B-PASS C-FA: 


BY * 


BURKHART 
R DIEHL 


APPROVE 
DES 



ITEM: VALVE, O.C. 
OPERATED, HIGH 


SOLENOID 

PRESSURE. 


REL jS.;. 


HE (3600-4000 PSIA) SOLENOID 



See Section 

ACTUATEO, 


13.0 


81-STABLE, t 1/2”) ( LV 101/102/103/104) 
FUNCTION: 

THESE VALVES ARE UTILIZED TO CONTROL 
MODULE. IN THE OPEN POSITION A FLOW 
SUPPLY TANK(S) TO THE REG UL ATOR ( S ) . 


HELIUM PRESSURIZATION OF THE RCS 
PATH IS PROVIDED FROM THE HELIUM 
TWO PARALLEL PATHS ARE PROVIDED 


FOR FUEL AND OXIDIZER- ONE PATH IS 
IS CLOSED AND PARALLEL VALVE OPENED 
FAILURE. 

FAILURE MODE: FAILS CLOSED 


NORMALLY OPEN 
SUBSEQUENT TO 

IF) 


PER TANK. THE VALVE 
A OGWN STREAM 


CAUSE(S) : 

VIBRATION, CONTAMINATION CONTINUOUS INADVERTENT CLOSING SIGNAL DUE TO 
SHORT CIRCUIT, PIECE PART FAILURc- 

ErFECT(S): ON ( A ) SUBSYSTEM ( 8 ) INTERFACES (OMISSION ( D)C RE W/VEH I CLE: 

(A) LOSS OF REDUNDANT PRESSURIZATION PATH. (S,DS NO EFFECT. (C) 

ABORT DECISION DEPENDENT ON MISSION PHASE AND BLOWDOWN CAPABILITY. 

DISPOSITION £ RATIONALE IAJDESIGN { B) TEST (C ) INSPECTION (D)FAILURE HISTORY: 
(A) SERIES CONTROL CIRCUITRY PROVIDED TO MINIMIZE FAILURE MODE", 100 
MICRON FILTER IS PROVIDED. MEDIA HAS BEEN FILTERED TO 25 MICRON PRIOR 
TO ENTERING TANK. SPECIAL EMPHASAS PLACED ON THE DESIGN AND LAYOUT OF 
SOLENOID WIRING TO PRECLUDE SHORTS. (B) QUAL TEST INCLUDES 48 MINUTES 
PER AXIS OF RANDOM VIBRATION AT ANTICAPTED MISSION LEVELS AND LIFE 
TESTING CONSISTING OF 2200 OPERATING CYCLES. ITEM IS USED DURING SYSTEM 
EVALUATION AT WHITE SANDS TESTING. (C) TURNAROUND INSPECTION INCLUDES 
MONITORING TESTS TO VERIFY ELECTRICAL POWER TO SOLENOID VALVE FOR 
EVIDENCE OF SHORT CIRCUIT, SUPPLIER AUDIT CONDUCTED 8-31-77 VERIFIED 
SUPPLIER INSPECTION EXC5RCISED CONTROL OF PARTS ID, PARTS PROTECTION, 

MFG PROCESSES, CONTAMINATION CONTROL, AND CORROSION PROTECTION 
VERIFICATION- ( D ) THERE IS NO FAILURE HISTORY FOR THIS SPECIFIC DESIGN. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 030-1 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-SH-001 6A 

ITEM Helium Pressure Regulator FAILURE mode Fails Open 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES Q HO jX] 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ NO fX] 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la COHSISTEuT WITH THE FMEA EVALUATION OF YES [x] *N0 Q 

IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q NO |jf 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS *YES H NO Fj 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES □ M 0 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES P] NO [x] 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 □ *lD 20 

ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A [xjYEsOi!0n 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN" THE BFS BE ENGAGED AFTER OCCURRENCE? YES Q*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES Q*NO Q 

*EXPLAI!ATION REQUIRED (SEE BELOW) 


CHANGE / RET ENT I ON RATIONALE SUMMARY 

1.05 NO H/S ISSUES 3,0 NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE CELGW 

: 2.0 HARDWARE ACCEPTS RISK 4, □ DETECTION DURING CHECKOUT 6. O RECOMMENDED CHANGES BELOW 


i 

i 

t 




shuttle failure .mode and effects analysis - cosher 102 / ,z 7 

tc ■ 


SUBSYSTEM JT-WD - REACTION CONTROL 
ASSEMBLY .'PRESSURIZATION 
D /N PI :MC2£4— C-413 
»/N VENDOR: 74539001 
QUANTITY :4 

: TWO REQUIRED PER 
: PRESSURANT PATH 

FAILURE DETECTABLE IN FLIGHT?. N/A 
STANDBY UNIT 


-GROUND TURNAROUND? YES 

GROUND CHECKOUT TEST PORTS 


FM.EA NO 03— 2 P -ICi03C— 1 R fcV : Ct>/i3/?. 
ABORT: CRIT. FUNC: 

CP- IT. hV.'O: 3 

MISSIONS: HF VF X FF OF SH 

PHASE(S): PL LO X 00 X DU X LS 

NUMB Lk OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 1 

REDUNDANCY SCREEN: A-PASS B-N/A C-FaS: 

TIME TO EFFcCT: 

SECONDS 

REFERENCE DOCUMENTS: 
VS70-421CC1 
MJ070-CC Q1-C1E 
SD72-SH-0 103-2 


PREPARED BY: 
DES 
REL 


J. TAGGART 
R DIEHL 


APPROVED By: 

DES 

REL 


.ITEM: REGULATOR, PRESS, HE, 

. SERIES REDUNDANT. SET AT UNEQUAL CUTLET PRESSURES - PRIMARY SET LUWcK 
THAN SECONDARY (PR 101/10 2/1G3/1G4) . 

.FUNCTION: 

. TO REGULATE STORED HELIUM PRESSURE FROM A3 00 PS1G MAX TO ULLAGE 
PRESSURE OF 245 (+ OR -3) PSIG FOR PURPOSE OF PROPELLANT F_LD TO 
THRUSTERS. TWO PARA.L LtL PATHS WITH TWO SERIES REGS ARE PROVIDED FOR 
EACH PROPELLANT TANK. 

.failure mode: fails open (fi 

. OR leaks internally. 

,CAUSE(S): 

. CONTAMINATION , VIBRATION, PIECE PART STRUCTURAL FAILURE -FLEXURES, 

3 EL LOWS, POPPET ASSY. 

.EFFECT! S) : ON lAJSU&SYSTEM ( B ) INTERFACES (C)MISSION ( D ) CR cP/ V Eh ill E : 

(A) LOSS OF ONE REGULATOR ELEMENT IN ONE PATH (PRIMARY) AND RISt li\ 

. PROPELLANT FEED PRESSURE TO SECONDARY REGULATOR ELEMENT PRESSURE 
SETTING. (S,C,D) NONE. 

. C OR RECT IMG AC T I ON : 

. NONE REQUIRED - SERIES REGULATOR ELEMENT WILL AUTOMATICALLY Ta^c OVEk 
FUNCTION. 

.REMARKS/HAZARDS: 

. SEE FAIRCHILD FMEA # RR74339-12. 


a 


zA 


A 


OceJS? 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 

Fwd Reaction Control FMEA NUMBER 

FAILURE MODE 


SUBSYSTEM 

ITEM Helium Pressure Regulator. 


03-2F-1 01 030-2 
SD75-SH-0016A 


Fails Closed 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
■ ANNUNCIATE OR TAKE ACTION III RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA .EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER SY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? * - 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIOED 
• TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8 . 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

□ 

YES 

□ 

*N0 

m 

YES 

□ 

NO 

B 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

a 

*YES 

□ 

NO 

m 

*o C 

i *ii 

0 

2(3 


IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 
*EXPLANATION REQUIRED (SE'E BELOW) 


m DyesEOhoQ 


YES Oj*N0 □ 

YES G3*N0 □ 


' CHANGE/RETENTION RATIONALE SUMMARY 

1. UIi NO H/S ISSUES • - . ... 

2. j£j HARDWARE ACCEPTS RISK 


3. D NO SOFTWARE DETECTION 
‘4. O DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE 'BE LCW 

6. □ RECOMMENDED CHANGES BELOW 


FMEA should be .changed from"NA" to 


"yes 11 


for in-flight detectability via V42P1115C and 111 6C 


(YjFMEA CHANGE RECOMMENDED 

EXPLANATIOM/CQMMEHTS : - . ‘ 

1. V42P1115C, 1116C, will sense the pressure drop initiating a class 2 alarm from 

GAX. 

2. Failure is "hardware detectable" by V42P1115C and V42P1116C pressure drop. 

6. Upon regulator failure the redundant parallel "leg" can be utilized. 
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shuttle failure mode and effects analysis - OKdITER 102 


SUP SYSTEM : FWC - REACTION CONTROL 
ASSEMBLY : PReSSJRIZAT ION 
P/N R 1 :MC 284—04-18 
P/N VENDOR: 743390 01 
QUANTITY :4 

:TwO REQUIRED PER 
:PRESSURaNT PATh 

FAILURE DETECTABLE IN FLIGHT? * NA_ 
STANDBY REDUNDANCY 


GROUND TURNAROUND?,.. YES 

GROUND CHECKOUT TEST PORTS 


FMEA NO G3-2F -1C103C-Z REV:l 1/13/7: 
ABORT: CR1T. F UNC : 1R 

CR IT. KwD : 2 

MISSIONS: HF VF. X ft UF SM 

PHASE(S): PL LC X GO X DO X LS 

NUMBER OF SUCCESS PAThS REMAINING 
AFTER FIRST FAILURE: Y 

REDUNDANCY SCREEN: A-PASS S-PASS* C-PAS: 

7IMt TO EFFECT: 

MINUTES 

REFERENCE DOCUMENTS: 
VS70— 4-21C 01 
M JO-70 — GOO 1— V’ 1 c 
SD72-SK-C 102-2 


PREPARED by: APPROVED EY: 

DES J. TAGGART DES „ 

REL R DIEHL REL 


.ITEM: REGULATOR , PRESS, HE, 

. SERIES REDUNDANT. SET AT UNEQUAL OUTLET PRESSURES - PRIMARY ScT LOWER 
THAN SECONDARY (PR 10 1/ 10 2/ 1C3/ 1G4 ) . 

.FUNCTION: 

. TO REGULATE STOREC HELIUM PRESSURE FROM 40 CO P$IG MAX TO uLLAGc 
PRESSURE OF 245 {+ OR ~3) PSIG FOR PURPOSE OF PROPELLANT FEED (0 
THRUSTERS. TWO PARALLEL PATHS WITH TWO SERIES REGS ARE PROVIDED FOR 
EACH PROPELLANT TANK. 

.FAILUk? MODE: FAILS CLOSED ( F) 

. (LOW PRESSURE) 

.CAUSE(S): 

. CONTAMINATION (PARTIAL BLOCKAGE OF PILOT SCREEN ) FRU/1EN MOISTURE PIECE 

part failure* vibration. 

.EFFECT(S): ON (A) SUBSYSTEM (3 ) INI CRFACES (C)MISSION (OCREW/VznlCLfcs 
. (A) LOSS OF ONE REGULATOR PATH. (b,C) POTENTIAL ABORT BECAUSE ONE 

. ADDITIONAL FAILURE MAY CAUSE LOSS OF PR ESS UR 12 AT 1 ON AND SUBSEQUENT 
VEHICLE LOSS. (D) NONE. (E) FUNCTIONAL CRITICALITY EFFECTS - if 
FAILURE OCCUR BEFORE El SEPARATION, LOSS OF HELIUM WOULD PREVENT El 
SEPARATION AND LOSS OF CREW/VEHICLE WOULD RESULT. 

.CORRECTING ACTION: 

. CLOSE HIGH PRESSURE ISOLATION VALVE IN EFFECTED PATH AND OPEN HIGH 
PRESSURE ISOLATION VALVE IN PARALLEL PATH. 

.REK ARKS/HAZARDS: 

. POTENTIAL ABORT BECAUSE ONE ADDITIONAL FAILURE (CLOSED) MAY CAjSE LOSS 
OF PRESSURIZATION AND SUBSEQUENT VEHICLE LOSS (REQUIRES 2ND., ORDER 
FAILURE) DEPENDENT ON MISSION PHASE- SEE FAIRCHILD FMEA' > 'RU 74-339-12. 
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shuttle critical items list 


OP BITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY iPRESSUR IZAT ION 
P/N RI :MC2 84-0413 
P/N VENDOR: 7 A3 39001 
QUANTITY :4 

: TWO REQUIRED PER 
: PRE SSURANT PATH 


PREPARED BY: 

DES 

REL 


J. TAGGART 
R DIEHL 


FMEA NO 03-2F -101030-2 PEV: 11/13/75 
ABORT: CRIT. FUNC: IP. 

CR IT - HDW : 2 

MISSIONS: HF VF X FF OF SM. 

PHASE { S } : PL LO X 00 X DO X LS 


REDUNDANCY SCREEN: 


APPRISED «/: 

D E „ . 

RE 


ITEM: REGULATOR* PRESS* HE* 

SERIES REDUNDANT. SET AT UNEQUAL OUTLET PRESSURES 
THAN SECONDARY (PR 101/102/103/104). 

FUNCTION: 


A-PASS B— ° ASS C-P AS? 

ss.S R t 

'XGSl^c^k 

APPROVED WITH CHANGES 
See Section 13.0 
- PRIMARY SET LOWER 




. TO REGULATE STORED HELIUM PRESSURE FROM 4C00 PSIG MAX TO ULLAGE 
PRESSURE OF 245 t + OR -3) PSIG FOR PURPOSE OF PROPELLANT FEED TO 
THRUSTERS- TWO PARALLEL PATHS WITH TWO SERIES PEGS ARE P D GVI DED FOR 
EACH PROPELLANT TANK. 

-FAILURE MODE: FAILS CLOSED IF) 

. (LOW PRESSURE) 

-CAUSE! S i : 


. CONTAMINATION (PARTIAL BLOCKAGE OF PILOT SCREEN) FROZEN MOISTURE PIECE 
PART FAILURE* VIBRATION. 

«. EFFECT ( S ) : ON ( A) SUBSYSTEM I B ) INTERFACES (C)MISSION (D)C PEW /VEHICLE: 

. (A) LOSS 3F ONE REGULATOR PATH. IB*C) POTENTIAL ABORT BECAUSE ONE 

ADDITIONAL FAILURE MAY CAUSE LOSS OF PRESSUR IZATION AMD SUBSEQUENT 
VEHICL E LOSS - ID) N ONE- ' I . 


.DISPOSITION & RATIONALE (A) DESIGN { &)T EST (C ) INSPECTION (D)FAILURE HISTORY: 
. (A) EXPERIENCE FROM PREVIOUS REGULATOR DESIGN TO BE APPLIED TO PRECLUDE 

PIECE PART FAILURE AND SELF GENERATED CONTAMINATION. ALSO, 25 MICRON 
INTREGAL INLET FILTER PROVIDED TO MINIMIZE CONTAMINANTS. { 8 1 QUAL 
TESTING INCLUDES 28 HOUR SAND AND DUST TEST* 48 MINUTES PER AXIS OF 
RANDOM VIBRATION AT ANTICIPATED MISSION LEVELS AND LIFE CYCLE TESTS OF 
50c 000 CYCLES FOR THE MAIN STAGE AND 100*000 CYCLES FOR PILOT STAGE. 

(C) TURNAROUND INSPECTION INCLUDES MONITORING TESTS TO VERITY FUNCTIONAL 
OPERATION IS WITHIN SPECIFIED LIMITS. SUPPLIER AUDIT CONDUCTED VERIFIES 
WITHIN SPECIFIED LIMITS. SUPPLIER AUDIT CONDUCTED VERIFIES SUPPLIER 
CONTAMINATION CONTROL* AND STORAGE ENVIRONMENT. ( D) NEW DESIGN FOR 
SHUTTLE APPLICATION. NO FAILURE HISTORY DATA AVAILABLE FOR THIS DESIGN. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 
SUBSYSTEM Fwd, Reaction Control FMEA HUMBER ' 

ITEM Manual Valve FAILURE MODE Fails ( 


03-2F-1 01 050-1 
SD75-SH-00I 6A 


1. DOES- THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO 0UEST10NS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COi SflAfJO IMG HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARC LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. ' 

7. IF 'CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATIO.’l REQUIRED (SEE BELOW) 


YES Q NO □ 
*YES □ NO p 
YES '(3*N0 □ 

‘ YES P NO [Xj 
*Y£S □ NO [X] 

*YES □ NO [1] 
*YES □ NO 0 

*0 0 *lQ 20 

N/A PYES0HOP 

YES (~X|*NO □ 

YES [xj*NO p 


| CHANGE/ RETENTION RATIONALE SUMMARY 
1.0 NO H/S ISSUES 
[ 2. QO HARDWARE ACCEPTS RISK 


3. (HI NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



shuttle failure mode and effects analysis 


llRF'ITLR 102 


SUBSYSTEM :FW0 - REACTION CONTROL 
ASSEMBLY : PKESSURI ZATION 
P/N R I : MC284— 0460— 00C1/-C 002 

P/N VENDOR: S760C1 5, 576G016 
QUANTITY : 2 

: ONE RE G * D PER TANK 


FAILURE DETECTABLE IN FLIGHT?. YES 
PROPELLANT TANK PRESSURE VA-2P-121G 


GROUND TURNAROUND? YES 

SAMt a.S FLIGHT 


FMEA NO 03-2F -10105C-I RtV:C I/LA/7 t 
ABORT: CR1T. FUND: 

CHIT. h WO : 3 

MISSIONS: HF VF X FF OF $M 

PHASE! S) : PL LO X 00 X DO X LS 

NUMBER OF SUCCESS PATHS REMAINING 
-AFTER FIRST FAILURE: C 

EDUNDANCY SCREEN: A-PaSS u-N/A C-PA$< 

TIME Tu EFFECT: 

1115, 1 116, 131C SECONDS TO MINOT t 

REFERLNCh DOCUtfbN 
MJCTC-OeOl-ClB 
SD 72-Sr-t— o 1 -_-3— 2 
VS7Q-421C01 


PREPARED BY: APPROVED BY: 

DES R. C-ONZALEZ OSS 

REL R DIEHL REL 


ITEM: VALVE, MANUAL-OPERATED. 

TWO POSITION SELECTOR VALVE (WITH STRUCTURAL INTERLOCK) (MV lCi/1^2). 

function: 

TO PROVIDE ISOLATION OF PROPELLANT TANK IS) FROM PRESSURE CYCLES WiILE 
PERFORMING GROUND C/0 AND/OR SERVICIN'^ OF PRESSURIZATION SYSTEM. 
FAILURE MODE: FAILS CLOSED OR OPEN (_) 

STRUCTURAL FAILURE. 

CAUSE(S ): 

SEVERE MECHANICAL SHOCK OR VIBRATION CAUSING DETENT MOVEMENT ON A 
DEFICIENT VaLVE LOSS OF INTERLOCK BY FRACTURE OF DRIVE FINGlR OR 
RUCKER, CORROSION, CONTAMINATION, IMPROPER USE. 

.EPFECT(S): ON ( A) SUBS YST EM (B ) INTERFACES (OMISSION (0 )CR LW/VEHIC LE : 

. (A)(B) LOSS OF FUNCTION (IN ABILITY TO PERFORM SYS C/0. (C) LAUNCH 

. DELAY. (D) NO EFFECT. 

.CORRECTING ACTION: 

. NONE AVAILABLE. 

.R EMARKS/HAZARDS : 

. NO HAZARDS IDENTIFIED. 


ORIGINAL PAGE IS 
OF POOR QUALITY 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-T 01050-2 
SUBSYSTEM Fwc. Reaction Control FMEA NUMBER SD75-SH-0Q16A 

ITEM Manual Valve FAILURE MODE Internal Leakage 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES Qj NO Q 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES Q NO O 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES Q] *N0 Q 

IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TALE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q NO fX] 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES Q NO [X] 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES Q NO QfJ 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES Q NO (Tf 

OTHER FUNCTIONS? 

? 6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 0 *lQ 

\ ACTION AND HARDWARE/SOFTWARE OPERATION}? NOTE CHANGE TO FMEA CRITICALITY. 

i 7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A □ YES[Xj;!oQ 

TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? ' ■ 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

! A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES (Xj*NO Q 

| B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES [Xj*ii0 □ 

| *EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3.Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.(13 HARDWARE' ACCEPTS RISK 4. tZJ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



1. If valve is cracked open V42P1115A, 11 16A would alarm. 

6. There are no success paths remaining after first failure. 
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SHUTTLE- FAILURE MODE AND EFFECTS ANALYSIS 


CRB I TER 102 


SUE SYSTEM JFkU - REACTION CONTROL 
ASSSMELY : PRES SUR I 2ATIQN 
P/N R I :,MC 284— 0480-000 1/— 0002 

P/N VENDOR: 5780CI 5, 5760016 
QUANTITY : 2 

: ONE REQ'O PER TANK 


FMEA NO 03-2F -1G1C5C-2 REV:0 1/C A/7, 

ABORT: GRIT. FUNC: 


CK1 i m hWD : 3 

MISSIONS: HF VF X FF OF SM 

PHASE(S): PL LO X GO X DO X LS 

NUMBER OF SUCCESS PAThS RcMAlNlNG 
AFTER FIRST FAT LURE: 0 

REDUNDANCE SCREEN : A-PASS 5-N/A C-PASF 


FAILURE DETECTABLE IN FLIGHT?. YES TIME TO EFFECT: 

PROPELLANT TANK PRESSURE V42P-1210 , 1115, 1 116 ,1310 SECONDS TO MNUTES 

REFERENCE DOCUMENTS: 


'’ROUND TURNAROUND? YES 

Saxe AS FLIGHT 


MJC70-C001— l-IR 
SD72-SH-0IC3-2 
VS 70-42 iOCl 


PREPARED BY: APPROVED BY: 

DES R. GONZALEZ DES 

REL R DIEHL REL 


. ITEM.: VALVE, MANUAL-OP ERA TED . 

. TWO POSITION 'SELECTOR VALVE (WITH ST RUCTURAL INFER LOCK } (XV 101/102). 
.FUNCTION: ^ 

. TO PROVIDE ISOLATION OF PROPELLANT TANK(S) FROM PRESSURE CYCLES WHILE 
PERFORMING GROUND C/0 AND/OR SERVICING OF PRES SUR 1 CATION SYSTEM. 
.FAILURE MODE: EXCESSIVE INTERNAL (_) 

. LEAKAGE. 

.CAUSE (S ) : 

. SEVERE MECHANICAL SHOCK OR VI6RATIGN CAUSING DETENT MOVEMENT ON A 
DEFICIENT VAL VIE LOSS OF INTERLOCK BY FRACTURE OF uFlVS FINGER OR 
RUCKER, CORROSION, CONTAMINATION, IMPROPER USE . 

.EFFSCT(S): ON (A) SUBSYSTEM ( B ) INT ERFACES (C)MISSiON ( 0 )CR tk/Vuhi lLl : 

. ( A , E ) LOSS GF FUNCTION (IN ABILITY TO PERFORM SYS C/0). ( L 3 LaUNCh 

. DELAY. (D) NO EFFECT. 

.CORRECTING ACTION: 

. NONE AVAILABLE. 

.R EM ARKS /HAZARDS : 

. NO HAZARDS IDENTIFIED. 
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SUBSYSTEM 


Relief Valve 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03.-2F.1 01 060-1 
ntrol FMEA NUMBER SD75-SH-0Q1 6A 

: FAILURE NODE External l.eakaoe Ovei 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES fx} NO □ 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT. DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ NO (“1 

USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES PH *N0 fl 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS CF THE FAILURE YES □ NO [XI 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES □ NO GO 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES □ NO fx] 

INDUCE ANOTHER FAILURE? • „ 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES f”j NO W 

OTHER FUNCTIONS? 


6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 □ *in 2[x3 
ACTION AND -HARDWARE/SOFTUARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED fl/A Q YESPTi NOG”} 
TO SIGNAL THE NEED FOR INTERVENTION AMD' THE REQUIRED CORRECTIVE ACTION? 


8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES Q*f!0 □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES (X]*NO □ 

♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

l.Q NO H/S ISSUES - 3.P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. OD HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES 8EL0W 


□ FMEA CHANGE RECOMMENDED 



1. Leakage of helium will cause a class 2 alarm. 
Gross leak detection' should occur first. 
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SHUTTLE FAILURE MODE AMD EFFECTS ANALYSIS - ORSITEs 102 


S'JE SY STEM JFWCJ - REACTION CONTROL 

ASSEMBLY : PRCSSUR IZAT ION 

P/N R I * MC 2 S R— 0421—0001/ —0 002 


FMEA NO 03-2F -101060-1 ktV:01/0<i/7; 

ABORT: GRIT. FUNC: 

CR I T . hwD : 3 


P/N VENDOR: 576000 9-10 It 576001 C-102 MISSIONS: HF VF X FF OF SM 

Quantity :2 ' phase(S): pl lo x go x do a i_s 

:ONE REQ * D PER TANK NUMBER OF SUCCESS PaTHS REMAINING 

: AFTER FIRST FAILURE: 2 

REDUNDANCY SCREEN: A-N/a 3-N/A C-N/A 

FAILURE DETECTABLE IN FLIGHT?. YES TIME TO EFFECT: 

PRESSURE DECAY IN PRESS- SYSTEM VA-2P-1115C AND HOURS 

1116C {TANK ULLAGE) REFERENCE DOCUMENTS: 

MJ070-CCC1-01B 


GROUND TURNAROUND?.... YES S&72-SH-G1C3-2 

TEST PORT FOR GROUND CHECKOUT AND SACK CHECK V5.7G— A21GG1 


PREPARED BY: APPROVED SY: 

DES R GONZALEZ DES 

REL R DIEHL REL 


ITEM: VALVE, PRESS. RELIEF - 

CRCKN6 PRESS 315 PSiG, FULL OPEN 24-0 PSIG, RESEAT 31C PslG (RV 

1 01 / 102 ). 

= UNCTION: 

RELIEF VALVE PROVIDED TO PREVENT RISE OF TANK AND LINE PRESSURES TO 
LEVELS WHICH COULD BE DETRIMENTAL TO SUBSYSTEM. 

FAILURE MODE: EXTERNAL LEAK {__> 

LEAKS OVERBOARD THRU BELLOWS £ ORIFICE. 

CAUSE (S): 

GALVANIC CORROSION, IMPROPER INST ALLATI ON/HANDLINU, FATIGUE UR 
STRUCTURAL FAILURE. 

EFFECT(S): ON (A) SUBSYSTEM { B ) IN TERFACES t C ) MISSION {OCR EW/VEhiCLS : 

(ALB) SUBSYSTEM DEGRADATION - HELIUM LEAKS uVEkSOARD AT snATE CONTROLLED 
BY ORIFICE. ( CCD) NO EFFECT UNLESS LEAK IS EXCESSIVE. 

CORRECTING ACTION: 

MONITOR SYSTEM FOR HELIUM LOSS. 

REM ARKS/HAZARDS : 

NO HAZARD IDENTIFIED. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 060-2 
SUBSYSTEM Fwd. Reaction Control FNEA NUMBER SD75-SH-0Q16A 

ITEM Relief Valve FAILURE MODE Bur st Disc ! 


1. 30ES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT , DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR, IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER bY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES 0 NO Q 
*YES □ NO P 
YES '□ *N0 p 
' YES □ NO p) 
*YE$ □ NO P 

*YES P NO [X] 
*YES P NO (X] 

*0 □ *ip 2[xj 

N/A 0YESD;.Op 


yes Q*i;o □ 

YES 0*NO □ 


CHANGE/RETEiiTIGN RATIONALE SUMMARY 

1. Q NO H/S ISSUES 

2. QQ HARDWARE ACCEPTS RISK 


3. P HO SOFTWARE DETECTION 

4. ID DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


In-Flight Detectability 
[X! FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. May see discrete drop in RCS quantity. V42P1115Cj 111 6C will give class 2 caution 
and warning alarm. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - ORBIlfcK ICE 


SUBSYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : PRES SUR I ZATI ON 
P/N RI : MC 284-0421-000 1/— 0002 

°/N VENDOR i 5760 LO 9—10 It 57oOCl 0—102 
QUANTITY :? 

: ONE Rfc'j * D PER TANK 


FAILURE DETECTABLE IN FLIGHT?. NO 


GROUND TURNAROUND? NO 


FMEA NO C3-2.F -101060-2 
ABORT: CP IT. 

CRiI . 


Rtv:Gl/64/7. 
F UNC : 
hWO : 3 


uF SM 
X DO X LS 
REM A IN IN'S 

/ 

fi-PASS C-PAS. 1 


MISSIONS: HF VF X FF 

PHASt(S) : PL X LO X C'U 

NUMBER OF SUCCESS PATHS 
AFTER FIRST FAILURE: 

REDUNDANCY SCREEN: a-PaSS 

TIME TO EFFECT: 
IMMEDIATE 

REFERENCE OOCUMEMS: 
MJ 070 -COC 1-01 l 
SD72— SH— 0103— 2 
VS70-A2IGCI 


PREPARED BY : 
DES 
REL 


R GONZALEZ 
R OIEHL 


APPROVED By: 

DES 

R'bL 


ITEM: VALVE, PRESS. RELIEF - 

CRCKNG PRESS 315 PSIG, FULL OPEN 340 PSIG, RESEAT 31C PSIG (RV 
1C1/1C2). 

FUNCTION: 

• RELIEF VALVE PROVIDED TO PREVENT RISE OF TANK AND LINE PRESSURES TO 
LEVELS WHICH COULD BE DETRIMENTAL TO SUBSYSTEM. 

FAILURE MODE: FAILS OPEN ( „) 

burst disc ruptures. 

CAUSE (S 3 : 

REGULATOR PRESSURE SURGE, INCORRECT PRESSURE SETTING, FATIGUE. EXtcSS 
PRESSURE CYCLING, VIB, MAT'L DEFECT PROP TEMP RISES. 
hrPECT(S): ON { A) SUBSYSTEM ( B ) INT ERFACES (C)MISSION (u )CR EW/VtKlC Lfc : 

(A, 3) LOSS OF REDUNDANCY (LEAKAGE OR OPEN MODE) (MAIN POPPET PKOVlDbS 
REDUNDANCY). (C,D) NO EFFECT. 

CORRECTING ACTION: 

MONITOR SYSTEM FOR POTENTIAL HELIUM LOSS OR PROP, TANK PKESSUK- 
DECREASE. REPLACE VALVE AFTER LANDING. 

REM ARKS/HAZARDS : 

NO HAZARDS IDENTIFIED. 
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■ HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 060-3 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-0016A 

ITEM Relief Valve : FAILURE MODE Fails t.n Bur st 


1 . 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

YES 

0 

NO 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? * 

*YE$ 

□ 

NO 

P 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

m 

*N0 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 

YES 

□ 

NO 

m 


(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERiiATF 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? - ■ 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIOED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE 8FS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE. BELOW) . . 


CHANGE/RETENTION RATIONALE SUMMARY ‘ • • - . . • - 

1.0 NO H/S ISSUES ' . 3.p NO SOFTWARE DETECTION ‘ 5. □ ACCEPTANCE RATIONALE BELOW 

2. QJ HARDWARE ACCEPTS RISK 4. [ZJ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


*YES 

□ NO 

0 

*YES 

□ NO 

0 

*YES 

□ NO 

0 

*o □ *iQ 

2(3 

H/A ByESP; 

10 □ 

YES 

0*NO 

□ 

YES 

0*NO 

□ 


Qfmea CHANGE RECOMMENDED 


EXPLANATION/COMMENTS: 

1. Over pressurization will cause class 2 alarm; >312 psi. (GAX) 
V42P1115C, 1116C. 
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shuttle failure mode and effects analysis 


QR3I TER 102 


SUBSYSTEM 
A SSEMSLY 
P/N R I 
P/N VENDOR 
quantity 


FWD - REACTION CONTROL 

PKESSURIZA1 ION 

MC 28 4- 0421 -0 00 1/ -C C02 


FMEA NO 03-2F -101060-2 REV: 01 /C4/7i 

ABORT: CHIT. FUNC: 

CR 1 1 . ha'Lj : 2 


2760009-101,2760010-10? 

2 

ONE REQ'D PER TANK 


MISSIONS: HP VF X FF OF S ft 

PHASEtS): PL LO X 00 X 00 X lS 

NUMBER OF SUCCESS PAThS REMAINING 
AFTER FIRST FAILURE: 2 

REDUNDANCY SCREEN: A— N / A B-N/A C-N/A 


FAILURE DETECTABLE IN FLIGHT?. YES 
PRESSURE RISE IN HELIUM SYSTEM V42P 


1116C (TANK ULLAGE PRESSURE) 

GROUND TURNAROUND? YES 

TURNAROUND TEST PORI PROVIDED 


TIME TO EFFECT: 

1115 C AND SECONDS 

REFERENCE DOCUMENTS: 
MJC70— CCC i— U 1 E 
SD72-Sh— 2 iO-- t 
VS70— n2 100 1 


PREPARED BY: 

DES R GONZALEZ 

REL R DIEHL 


APPROVED BY: 

DES 

REL 


ITEM: VALVE, PRESS. RELIEF - 

CRCKNG PRESS 215 PSIG, FULL OPEN 340 PSIG, RESEAT 310 PSIG (kV 
101 / 102 ). 
function: 

RELIEF VALVE PROVIDED TO PREVENT RISE OF TANK AND LINE PRESSURES 10 
LEVELS WHICH COULD BE DETRIMENTAL TO SUBSYSTEM. 

failure mode: fails to burst <_> 

OK BURSTS at A HIGHER THAN NOMINAL PRESSURE. 

CAUSE (S ) : 

IMPROPER INSTALLATION QK HANDLING DAMAGE THAT CAUSlS DISC 1C STICK 
PIECE 'PART FAILURE, PRESSURE BUILD UP ON REVERSE SIDE. 

EFFECT! S): ON (A) SUBSYSTEM (&) INTERFACES (C) MISSION (D)CR EW/VEhIClb: 
(A) NO EFFECT UNLESS MULTIPLE FAILURES OCCUR. (6> DEGRADATION OF 
INTERFACE SUBSYSTEM. PROP TANK ULLAGE PRESSURE MA V INCKEASc AbUVc 
WORKING PRESSURE LIMITS. (C,D) NONE SEE (A) A30VL. 

CORRECTING ACTION: 

CLOSE HELIUM ISOLATION VALVES, HOWEVER RELIEF CCULD BE COMPLETED BY 
FIRING THRUSTERS. 

REMARKS/HAZARDS: 

NO HAZARDS , UNIT IS STANDBY - BACKUP FOR REGULATOR FAILURES. NO 
REDUNDANCY PROVIDED. 


OF 


p 00R 


QUAU Iff 
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•HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 060-4 

SUBSYSTEM Fwd Reaction Control FHEA NUMBER ' SD75-SH-0016A 

ITEM Relief Valve FAILURE MODE Onem: I nw 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION III RESPONSE}?- 

la. IF NGT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FME A. EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION}? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? - 

♦EXPLANATION REQUIRED (SEE BELOW) - - 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES' * . . _ , 3.p NO SOFTWARE DETECTION ' .5. □ ACCEPTANCE RATIONALE 8ELCV 

2.(3 HARDWARE ACCEPTS RISK '4-1Z3 DETECTION DURING CHECKOUT 6. 0 RECOMMENDED CHANGES BELOW 


In-Flight Detectability 

OD FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS: 


1. Leakage of helium will cause an oxidizer/fuel imbalance of 12.6 percent. May get a 
gross leak detection alarm. 
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shuttle failure mode and effects analysis 


ORB I TER 1DL 


Ub SYSTEM :FWD - REACTION CONTROL 
SS5MBLY : PRESSURI ZATION 
/N R I : MCZ84— 0421- CGO I/— 0CC2 

/iv VENDOR: 576GCG 9-10 l f 5760010-102 
QUANTITY :2 

: ON'E KEQ * D PER TANK 


FMEA NO 03-2F -1C106C-4 R £ V: C-l /C-4/7 f 

ABORT: CR17. FUNt: 

GRIT. HWOi 3 

MISSIONS: hF VF X FF- OF. Stf 

PHASE(S): PL LU X 00 X DO X LS 

NUH8ER OF SUCCESS PATHS REMAINING 


AFTER FIRST FAILURE: 




REDUNDANCY SCREEN: 

FAILURE DETECTABLE IN FLIGHT?. NO 

UNLESS EXCESSIVE PRESSUR E DROP IS EVIDENT IN 

TANKAGE 


A- b- C- 

1 IME TO EFFECT: 
SECONDS TO DAYS 
REFERENCE DOCOMcNTE: 


MJ 070-000 I -C lb 


GROUND TURNAROUND? NO 

S A v > i£ AS FLIGHT 


SDT2— SH-010E— 1 
VS7C—4Z2 OOi 


PREPARED BY: 
DES 
REL 


R GONZALEZ 
R DIEHL 


APFROVED BY: 

DES 

REl 


ITEM: VALVE, PRESS. RELIEF - 

CRCKNG PRESS 315 PSIG, FULL OPEN 540 PSIG, RESEAT 31C PSIG (RV 
101 / 102 ). 
function: 

RELIEF VALVE PROVIDED TO PREVENT RISE GF TANK AND LINE PRESSURES TO 
LEVELS WHICH COULD BE DETRIMENTAL TO SUBSYSTEM . 

FAILURE MODE: PREMATURE/ERRATIC OF ERA- (F) 

T ION , INTERNAL LEAKAGE, OPEN BELOW NOMINAL CRACKING PRESSURE. 

CAUSE IS ) : 

VIBRATION, MECHANICAL SHOCK, CONTAMINATION, PIECE PART STRUCTURAL 
FAILURE OF POPPET. 

EFFECT ( S) : ON (A) SUBSYSTEM ( B ) INTERFACES (OMISSION ID )CR tW/VEHICLC: 

(A) LOSS OF HELIUM OR PROPELLANT VAPORS OVERBOARD. (3) INABILITY TO 
PRESSURIZE PROPELLANT TANKS IF LEAK IS EXCESSIVE. (C) POTENTIAL 

ABORT IF EApxLY IN MISSION, WOULD REQUIRE PRIOR FAILURE (BURST DISC 
0?EN'). (0) NONE. 

.CORRECTING ACTION: 

. N ON E • 

.REM ARKS/HAZARDS: 

. WOULD REC'U IRE BURST DISC FAILURE BEFORE LEAKS OVERBOARD. NO KcGUNUANL Y 
PROVIDED. 


ORIGINAL IS 

®!F QUALITY 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 060-5 

SUBSYSTEM Fwd ' Rpar.t.inn Control FMEA NUMBER SD75-SH-001 6A 

ITEM Relief Valve FAILURE MODE Fails to Oppn 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
■ ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la, IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE {EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MOOE, CAN THE SOFTWARE OVERSTRESS 'THE HARDWARE OR 

INDUCE ANOTHER FAILURE? * ‘ 

5. CAN THIS FAILURE MODE-, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE- BFS BE ENGAGED AFTER OCCURRENCE? 

B, WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 

a 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

a 

*N0 

□ 

YES 

□ 

NO 

m 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

0 


*0 □ *lQ 2[xj 
m/a Dyes® no □ 


YES (D*NO □ 

YES (D*NO □ 


CHANGE/ RETENT I OH RATIONALE SUMMARY 

NO H/S ISSUES - - 3. D NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.QJ HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. D RECOMMENDED CHANGES BELOW 


QFMEA CHANGE RECOMMENDED 

EXPLANATION/COMMENTS : •_ . 

1. Over pressurization will cause a class 2 alarm, V42P1115C, 11160. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


Ok 3 ITER 102 


SUBSYSTEM : FQ 0 - REACTION CONTROL 
ASSEMBLY : PRES SURI ZA. YIGN 
P/N Rl : MC28A-C 421-0 OS 1/-0002 

P/N VENDOR: 5760009-10 l,57t>0Cl C-10? 
QUANTITY : 2 

:ONE REQ'D PER TANK 


FMEA NO G3-2F -1C1J6C-5 REV: li / 
ABORT: C*IT. FUi^C: 

CrIT. Hy 4b i . 

MISSIONS: H c VF X FF ur SM 
PhASE(S): PL X LO X CO X CO X LS 
NUMBER Or SUCCESS PATHS REMAINING 


: AFTER FIRST FAILURE: 

REDUNDANCY SCREEN: A- R- C 

FAILURE DETECTABLE IN FLIGHT?. YES TIME Tu EFFECT': 

TANK PRcSSURfc MONITOR V42P-1I1 6C , il 1 5C , 12 ICC » SECONDS TO DAYS 

131 CC REFEREnCil DOCUMENTS 


M J C 7 0 — C 0 G I - 0 1 3 


GROUND TURNAROUND? YES SD72-SH-G 1C3-S 

SAME AS FLICHT VS70-421CC1 


PREPARED BY: 
DES 
REL 


R GONZALEZ 
R DIEHL 


APPROVED BY: 

DES 

REL 


ITER: VALVE, PRESS. RELIEF - 

CRCKNG PRESS 315 PSIG, FULL OPEN 340 PSIG, RESEAT SIC PSIG (KV 
1 Cl/1 02 ) . 

FUNCTION: 

RELIEF VALVE PROVIDED TO PREVENT RISE OF TANK AND LINE PtscSSURES TO 
LEVELS WHICH COULD BE DETRIMENTAL TO SUBSYSTEM. 

FAILURE MODE: FAILS TO OPEN - (F) 

AT NOMINAL CRACKING PRESSURE 
CAUSE(S): 

CCNTAMINA1 ION, PIECE PART STRUCTURAL FAILURE, POPPET GALlING. 
FFFECTIS): ON (A) SUBSYSTEM ( E ) 1NT EFFACES (C)MISSlGN (D)CR Ew/Vtn ICL a: 
{A} LOSS OF RELIEF PATH. (B,D) NONE. ( C ) PO TcN! I AL MISSION LOSS 
(ABORT DECISION) IF EARLY IN MISSION WOULD REQUIRE 2 PRIG* FAILURES. 
CORRECTING ACTION: 

FIRE ALL THRUSTERS NON-PROPULS I VELY . 

■-< pvs ARKS/HA Z ARDS : 

. POT EM FI AL TANK RUPTURE ON 3RD ORGEPs FAILURE NO OTHER RELIEF PATH ruR 
SYSTEM. 



>- u / 7 1 


0 
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-HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 070-1 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-0016 A 

ITEM .Fill Quick Disconnect. Helium FAILURE MODE Fa ■=: Open. Hap I eaks 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE}?- 

YES 

S NO 

□ 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? \ 

*YES 

□ NO 

P 

2. 

ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA .EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

0 ’NO 

0 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
{EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

□ NO 

0 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE, MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

♦yes 

o 

zzi 

□ 

0 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? * . 

*YES 
^ « 

□ NO 

a 

5. 

CAN THIS FAILURE MOOE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

*YES 

□ NO 

EJ 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

*o □ *i(3 

zD 

7. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND. THE REQUIRED CORRECTIVE ACTION? 

N/A □ YESQCJnqQ 

8. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

YES 

00*NO 

□ 


B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

OlNo 

□ 

♦EXPLANATION REQUIRED (SEE BELOW) 





CHANGE/ RETENTION RATIONALE SUMMARY ; . ...... 

1.0 NO H/S ISSUES . 3. p NO SOFTWARE DETECTION ' 5. □ACCEPTANCE RATIONALE BELOW 

2.£X} HARDWARE ACCEPTS RISK 4.C3 DETECTION DURING CHECKOUT 6. D RECOMMENDED CHANGES BELOW 


I n- f-1 i g ht detectability 

(3 FMEA CHANGE RECOMMENDED 

EXPLANATION/ COMMENTS . ‘ . 

1 & 2. V42P1110C, V42P1112C, V42P1113C and V42P1114C will detect the failure when the 

pressure, drops to 500 psi ana issue a class 3 caution and warning alert. 

Gross leak indication should occur first. (12.6% a) 

6. Capped quick 'disconnect provides one redundant success path-. 


SHUTTLE FAILURE MODE AMD 


EFFECTS ANALYSIS — OR3I t'ER 102 


SUBSYSTEM JFWD - REACTION CONTROL 
A SSc M ELY : PRESSURIZATION 
?/N R I : MC ?? 6— CC 17-04C' 2/ CAC3 
P/N VENDOR: 75372000 - 0402 / C4C3 
QUANTITY : 2 

: ONE REG'D PER TANK 


failure detectable in flight?, no 


FHLA NO G3-2P -101070-1 «. tV : lk/it/?c 

ABORT: CR1T. FUNC: 1 

CK I T. Hriu • 1 

MISSIONS: HP VF X Ff CP SM 
PHAS ECS): PL X LO X 00 X DC X LS X 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 1 

REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 

TIMb TO EFFECT: 

SECONDS TO DAYS 
REFERENCE DGCUMtNTS: 


GROUND TURNAROUND? YES 

VISUAL INSPECTION PRIUR TO LAUNCH 


ftJ07G-GCCl-01c 
SO? 2— Sh— 0 1 GO— 2 
VS7C-421001 


PREPARED BY: 

DES C SCARLETT 

REL R DIEHL 


APPROVED 
Oc S 


REL 


BY: 


ITEM: DISCONNECT, QUICK FILL 

rtELXUM WITH SPRING LOADED POPPET AND STRUCTURAL END CaP ( 1/4" > . (MU 
105/106) 
function: 

PROVIDES HELIUM TANK FILL POINT FOR GROUND OPERATIONS AND LOADING 
SERVICING. 

FAILURE MODE: FAILS OPEN, CAP (S) 

LEAKS IN EXCESS of ACCEPTABLE RATE. 

CAUSE <$ > : 

VIBRATION, AND LOOSENING OF THE RETAINER NUT, IMPROPER HANDLING, 
MECHANICAL SHOCK. 

EFFECHS): ON (a) SUBSYSTEM (8 ) INTERFACES (OMISSION (O)CREW/ VEHICLE : 

(A) LOSS OF REDUNDANCY. (B) NONE. (C) P0T£?VT1AL LAUNCH Dt LA Y 
(MISSION LOSS) IF DETECTED. (D) POSSIBLE LOSS OF CKcW/VlhICLE IF 
FAILURE OCCURS PRIOR TO ET SEPARATION. 

CORRECTING ACTION: 

REPLACE OR TIGHTtN END CAP ON GROUND. NONE AVAILABLE IN FLIGHT. 
REMARKS/HAZARDS : 

BECAUSE STRUCTURAL CAP IS LOADED OVER THE DISCONNECT, THIS FAILURE MOD= 
IS VERY kfc'MOTE IN FLIGHT. 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :FKD - REACTION CONTROL 
ASSEMBLY : PRESS UR I 2 AT ION 
P/N RI :MC2 76-0C17-0402/0403 
P/N VENDOR : 7 53 7200 0-04 02/ 04-03 
QUANTITY :2 

: ONE REQ'D PER TANK 


FMEA NO 03-2F -101070-1 REV: 12/08/78 
ABORT: CRIT. FUNC: 1 

CRIT. HDW : 1 

MISSIONS: HF VF X FF OF SH 
PHASEiS): PL X LO X GO X DO X LS X 


REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


PREPARED BY: 

DES 

REL 


C SCARLETT 
R DIEHL 


AP 

DE 

REL 


PROVED ELY: „ , , . APPROVED BY/ /i NASA,) : fJlj 

S SSM 


s/z/f-i/jc 



ITEM: DISCONNECT, QUICK FILL 

HELIUM WITH SPRING LOADED POPPET AND STRUCTURAL END CAP 
105/106 ) 


ROVED WITH CHANGES 
See Section 13.0 


( 1 / 4 -"] . 


(MD 


.FUNCTION: 

. PROVIDES HELIUM TANK FILL POINT FDR GROUND OPERATIONS AND LOADING 
SERVICING. 

.FAILURE MODE: FAILS OPEN, CAP IS) 

. LEAKS IN EXCESS OF ACCEPTABLE RATE. 

• CAUSE( S ): 

. VIBRATION, AND LOOSENING OF THE RETAINER NUT, IMPROPER HANDLING, 
MECHANICAL SHOCK. 

.EFFECT(S): ON ( A ) SUBS YSTEM { B ) INTERFACES {OMISSION ( DJCREH/ VEHICLE: 

. (A) LOSS OF REDUNDANCY. { B) NONE. (C) POTENTIAL LAUNCH DELAY 

(MISSION LOSS) IF DETECTED. (D) POSSIBLE LOSS OF CREW/VEHICLE IF 
FAILURE OCCURS PRIOR TO ET SEPARATION. 

.DISPOSITION £ RATIONALE ( A ) DESIGN (B) TEST (CSINSPECT10N ( 0) FAILURE HISTORY: 
(A) CAP SEAL DESIGN DETERMINED TO BE ADEQUATE TO PRECLUDE LEAKAGE. 

DESIGN FACTOR OF SAFETY IS 2.0 X 4000 PSIG MAX WORKING PRESSURE. CAP 
PLUS COUPLING CONSTITUTES DUAL SEALING. ALL RETAINER NUTS ARE PROPERLY 
TORQUED TO PRECLUDE LOOSENING. (B) SEALS ARE EXPOSED TO OVER 600 CYCLES 
DURING DEVELOPMENT. COUPLINGS ARE SUBJECTED TO 600 OPERATIONAL CYCLES 
IN QUAL TEST. ALL CAPS AND COUPLING LEAK TESTED FOR 3 MIN. AT PRESSURES 
UP TO 1.25 MAX WORKING PRESSURE DURING ACCEPTANCE TEST. TURNAROUND LEAK 
CHECKS PERFORMED BEFORE EACH FLIGHT. RANDOM VIBRATION PERFORMED DURING 
QUAL PROGRAM, 68 MINUTES IN TWO AXES AT ANTICIPATED MISSION LEVELS. 

(C) TURNAROUND INSPECTION INCLUDES VISUAL INSPECTION ALL COUPLINGS THAT 
HAVE BEEN USED DURING TURNAROUND FOR DAMAGE PLUS INSPECTING FOR, LEAKS 
DURING LEAK CHECKS. ALSO, PROPER BLEED SCREW TORQUE IS VERIFIED PRIOR 
TO REINSTALLATION OF ANY CAPS THAT HAVE BEEN REMOVED. SUPPLIER AUDIT 
CONDUCTED 4-5-77 VERIFIEO THAT SUPPLIER INSPECTION CONTROLS RAW MATERIAL 
PARTS IDENTIFICATION, MFG PROCESSES, CONTAMINATION CONTROL, AND STORAGE 
ENVIRONMENTS. (D) NEW DESIGN FOR SHUTTLE APPLICATION. NO FLIGHT 
FAILURE HISTORY 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 

SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-SH 

ITEM Quick Fill Disconnect, He. FAILURE MODE Fails Closed/Ground 


03-2F-1 01 070-2 
SD75-SH-OOI 6A 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? '* 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES □ NO □ 
*YES □ MO p 
YES Q*NO P 
YES □ NO □ 
*YES □ NO □ 

*YES p NO □ 
.*YES P NO P 

*0 □ *lQ 2P 

N/A PYESPhOp 


yes P*i:o □ 
YES P*HO □ 


| CHANGE/RETENTION RATIONALE SUMMARY 
I 1.0 NO H/S ISSUES 

2. □ HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. n DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS: 


1. Out of Scope. Ground operations only. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - ORolTeR 102 


SUBSYSTEM : FWD - REACTION CONTROL 

• ASS EM FLY : PRES SURI 2A TI ON 

• P/N R I ■ MC 276— C017— 040-2/0403 

.P/N VENDOR: 753720 00-0402/C403 

. QUANTITY : 2 

. : ONE REQ • D PER TANK 


FAILURE DETECTABLE IN FLIGHT?. N/A 


G " 0 UN C TURNAROUND?..... YE S 

GSt FILL RATE AND HELIUM PRESSURE 


FMEA NO C3-2F -10107 0-2 kcV: Oi / U*r/7 . 
AbORT: CP IT. FuNC: 

GRIT. hWU: 2 

MISSIONS: Hr VF X FF bF SR 

PHASE(S): PL X LO 00 DU LS 

NUM3 ER OF SUCCESS PATr.’S REMAINING 
AFTER FIRST FAILURE: 0 

REDUNDANCY SCREEN: A -N/A b-N/A C-N/A 

TIME TO EFFECT: 

IMMEDIATE 

REFERENCE DOCUMENTS: 
MJG7C-G0C-1-21E ' 

SD72-SH-C 103-2 
VS 70— A 2 100 1 


PREPARED BY: 
DES 
RE L 


C SCARuETT 
R DIEHL 


APPROVED 

DES 

REL 


idY: 


ITEM: DISCONNECT. QUICK FILL 

HELIUM WITH SPRING LOADED POPPET AND STRUCTURAL END CAP (1/V). (Mb 
i 05/1 06) 

FUNCTION: 

PROVIDES HELIUM TANK FILL POINT FOR GROUND OPERATIONS AND LOADING 
SERVICING. 

FAILURE MODE: RESTRICTED FLOW - <F) 

FAILS CLOSED DURING GROUND FILL OPERATIONS 
Cause (s): 

V IB RATI CN/IM.PRO PER HANDLING WHICH CAUSES F lLTER/PGPPtT DAM Abn IN 
DISCONNECT. 

EFFECT{S): UN (A) SUBSYSTEM ( E ) INTER FACE S (OMISSION ( OCR caVVEh! CLL : 

(A) LOSS OF OR REDUCED nELlUM FILL CAPABILITY. (6) NONc. (C) LauNCh 
DELAY . ( D ) NONE. 

CORRECTING ACTION: 

REMC'VE/REPLACb FILL VALVE OR ATTEMPT TO RECOUPLE. 

,R EMARKS/HAZAROS: 

NONE. NO REDUNDANCY PROVIDED FOR THIS ITEM IN THIS MUOE . 


V 

‘~<c: X 

A 




r . 

i * « 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-I 01 080-1 
SUBSYSTEM Fwd. Reaction Control pMEA NUMBER SD75-SH-001 6A 

ITEM Purge Quick. Disconnect. Propellant FAILURE MODE External Leakage During Fli ght 

1. DOES- THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES [Xj NO □ 

- ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES H >'10 Pi 

USE TO DETECT THE FAILURE? . 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT KITH THE FMEA EVALUATION OF YES '[“1 *N0 GO 

IM-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO fiTI- 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES H NO fiT! 

I FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 

PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES H NO [Xl 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES PI NO fx] 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 □ *l[3 2H 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED M/A □ Y£S[x] NO P] 

I TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

• A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES Q*NO □ 

[ B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES □ *N0 □ 

♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETE.NTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 3.P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

| 2.0 HARDWARE ACCEPTS RISK 4. (ZJ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 

I 


(X] FMEA CHANGE RECOMMENDED 


} EXPLAHATION/COMMENTS : 

I 1. Per backup flight system program requirements document MG038103, once a pre-set delta 
j between the propellant quantities is reached a class 2 caution and warning light and tone 

j will be annunciated. Also primary flight control requirements FSSR 0026A except OPS 1,6. 

1 2. The above statement indicates in-flight detection. 

6. Capped quick disconnect provides one redundant success path. 


47 



SHUTTLE FAILURE MODE AMD EFFECTS ANALYSIS 


UKdITER ice 


SUBSYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : PRESSUR I2ATICN 
P/N R I : MC27 6— CC13 
P/M VENDOR: 7*3060 DO 
G UA NT IT Y : 14 

: TWO INLETS AND FIVE 
: OUTLETS FOR EACH PROP 

FAILURE DETECTABLE IN FLIGHT?. NO 


FMEA NO G3-2F -luiOSC-1 R&V: 12/Ufc/?.. 
ABORT: CP IT. FUNC: I 

GRIT. hwO : I 

MISSIONS: HF VF X FF OF SM 

PHASE(S): PL Lu X Ou X CO X LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE : 4 

REDUNDANCY SCREEN: a-N/A B-N/A C-N/A 

TIME TO EFFECT: 

SECONDS TO DAYS 


5 ROUND TURNAROUND ? .YES 

VISUAL INSPECTION 


REFERENCE DOCUMENTS: 
MJC7G— COC 1— GIu 
SDTC-Sh-TICB-E 
VS70— 4ZluUl 


PREPARED 
DES 
RE L 


DV • 

u I • 


C SCARLETT 
R DIEHL 


APPROVED BY: 

DES 

R EL __ 


.ITEM: DISCONNECT, QCK , PURGE, i)*"' 

. VENT, PROPELLANT WITH STRUCTURAL END CAP AND SPRING LOADED POPPET 
( 1/ 2*’ ) . (KG 117, 11 8,123, 124, 127,137, 13 8,14? ,161, 162, 163,164) . 
.FUNCTION: 

. TO ALLOW GROUND PURGE OF PROPELLANT TANKS AND ASSOCIATED 

MAN IFGLDS/LIN ES /THRUS IERS AFTER LANDING € PROPELLANT TANtsS FluL, UNAlN 
£ VENT 

- .FAILURE MODE: EXTERNAL LEAKAGE (S) 


. DURING FLIGHT 
.CAUSE(S): 

. VIBRATION AND LOOSENING OF THE RETAINER NUT, STRUCTURAL FAILURE, PIECE 
D ART FAILURE MECHANICAL SHOCK, IMPROPER GROUND HANDLING. 

.5 FFECT ( S ) : ON (A) SUBSYSTEM (b) INTERFACES (OMISSION ( D )CR Ew/ VEHICLE : 

. (A) LOSS GF PROPELLANT FIRST ORDER FAILURE FOR LOOSE RETAINER NUT. (t) 

. POSSIBLE FlRE/EXPLOSIuN IF FUEL REACTS WITh COMPLEMENTARY UXlUlZhk (Ok 
EXTREME HbAT CURING RE-ENTRY }.( C ) POSSIBLE LOSS OF MISSION U'JE 1 0 FlUIL 
SEPARATION, (3) POSSIBLE LOSS OF CREW/VEKICLe IF FAILURE OCCURS F.nIOR 
TO ET SEPARATION. 

.CORRECTING ACTION: 

. NONE AVA1LA3LE - IN FORWARD MODULE, CRITICALITY IS LESS SEVcRE iF AFT 
MODULES OPERATIVE 
.REMARKS /HAZARDS : 

. POTENTIAL CORROSION OF SURROUNDING COMPONENTS. STRUCTURAL CAP 
CONSIDERED AS STRUCTURE. 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : ? RESSUR IZAT ION 
P/N RI :«C2 76-001 8 

P/N VENDOR : 7 63 06000 
QUANTITY :L4 


FHEA NO 03-2F -101080-1 REV: 12/08/7 
ABORT: CRIT. FUNC: 1 

CR IT . HOW : 1 

MISSIONS: HF VF X FF OF SM 

PHASE ( S ) : PL LO X OG X DO X LS 


.'TWO INLETS AND FIVE 
;OUTLETS FOR EACH PROP 

REDUNDANCY SCREEN: A-N/A 5-N/A C-N/A 


PREPARED 

OES 

REL 


BY: 


SCARLETT 
R DIEHL 


APPROVED 

OES 

REL 


BY 


'■Zf7s/7? 


ITEM: DISCONNECT *■ QCK, PURGE, 

VENT, PROPELLANT WITH STRUCTURAL 
(1/2“}. (MD L17, 118,1 23, 124, 127 


r _ . (NASA) „ 



MED WITH CHANGES 
See Section 13.0 



ENO CAP AND SPRING LOADED POPPET 
137,138,147,161,162,163,164) . 


.FUNCTION: 

. TO ALLOW GROUND PURGE OF PROPELLENT TANKS ANC ASSOCIATED 

MANIFOLDS/LINES/THRUSTERS AFTER LANDING £ PROPELLANT TANKS FILL, DRAIN 
£ VENT 

.FAILURE MODE: EXTERNAL LEAKAGE (S) 

. DURING FLIGHT 
.CAUSE(S): 

. VIBRATION AND LOOSENING OF THE RETAINER NUT, STRUCTURAL FAILURE, PIECE 
PART FAILURE MECHANICAL SHOCK, IMPROPER GROUND HANDLING. 

. EFFECT { S 5 : ON (A) SUBSYSTEM ( 8 ) IN TERF ACES (OMISSION (D ) CREWVEHICLE: 

. (A) LOSS OF PROPELLANT FIRST ORDER FAILURE FOR LOOSE RETAINER NUT. (5) 

POSSIBLE F IRE/ EX PLGS ION IF FUEL REACTS WITH COMPLEMENTARY GXIDIZER (OR 


EXTREME HEAT DURING RE-EN TRY) . { C ) POSSIBLE LOSS OF MISSION DUE TO FLUID 
SEPARATION. (D5 POSSIBLE LOSS Or CREW/ VEHIC LE IF FAILURE OCCURS PRIOR 
TO ET SEPARATION. 

.DISPOSITION £ RATIONALE ( A ) DESIGN ( B ) TEST ( C ) INSPECTION ( D ) FAILURE HISTORY: 

. (A) CAP SEAL DESIGN DETERMINED TO BE ADEQUATE TO PRECLUDE LEAKAGE. 

DESIGN FACTOR OF SAFETY IS 3*0 X 710 PSIG MAX WORKING PRESSURE. CAP 
PLUS COUPLING CONSTITUTES DUAL SEALING. ALL RETAINER NUTS ARE PROPERLY 
TOROUED TO PRECLUDE LOOSENING. (B) SEALS ARE EXPOSED TO OVER 500 CYCLES 
DURING DEVELOPMENT. COUPLINGS ARE SUBJECTED TO 600 OPERATIONAL CYCLES 
IN QUAL TEST. ALL CAPS AND COUPLINGS LEAK TESTED FOR 3 MINUTES AT 
PRESSURES UP TO MAX WORKING PRESSURE DURING ACCEPTANCE TEST. 

TURNAROUND LEAK CHECKS PERFORMED BEFORE EACH FLIGHT. RANDOM VIBRATION 
PERFORMED DURING QUAL PROGRAM. 68 MINUTES IN TWO AXES AT ANTICIPATED 
MISSION LEVELS. (C) TURNAROUND INSPECTION INCLUDES VISUAL INSPECTING 
ALL COUPLINGS USED DURING TURNAROUND FOR DAMAGE PLUS INSPECTING FOR 


LEAKS DURING LEAK CHECKS. ALSO, PROPER BLEED SCREW TORQUE IS VERIFIED 
PRIOR TO REINSTALLATION OF ANY CAPS THAT HAVE BEEN REMOVED. SUPPLIER 
AUDIT CONDUCTED 4-5-77 VERIFIED THAT SUPPLIER INSPECTION CONTROLS RAW 
MATERIAL PARTS IDENTIFICATION, MEG PROCESSES, CONTAMINATION CONTROL, AND 
STORAGE ENVIRONMENTS. (D) NEW DESIGN FOR SHUTTLE APPLICATION. NO 
FLIGHT FAILURE HISTORY*. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-I 01 080-2 
SUBSYSTEM Fwd. Reaction Control fMEA NUMBER SD75-SH-001 6A 

ITEM Purge Quick Disconnect, Propellant FAILURE MODE Fails Closed/Ground Ops. 


l. 

la. 


2 . 


3. 


3a. 


4 . 


5. 

6 . 


7. 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

IF NOT, DOES THE HARDWARE PROVIOE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A-RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? MOTE CHANGE TO FMEA CRITICALITY. 

IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? 


YES 

□ 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

□ 

*N0 

□ 

YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

n 

NO 

□ 

*YES 

□ 

HO 

□ 

*0 C 

i *ii 

□ : 

zD 

M/A □ YESdiN 

:>□ 


8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 


I A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

I B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

J * EX PLAN AT ION REQUIRED (SEE BELOW) 


YES Q *N0 □ 

YES d*HO □ 


| CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. 0 HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. D RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATiON/COMHEHTS : 

1 . Out of scope/ground operations only. 
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SHUTTLE FAILURE MOLE AND EFFECTS ANALYSIS - CR6ITER ICE 


SUBSYSTEM :FVJD - REACTION CONTROL 
ASSEMBLY : PRE5SUR 1 ZAT ION 
P/N R I : MC 27 6—0018 


FMEA NO 03-2F -1010*0-2 ft LV : 03/C t/l: 

ABORT: GRIT. FUNG: 

CRIT. i~-WD : 2 


P/N VENDOR: 762060 CO 
QUANTITY : 14 

:TWO INLETS AND FIVE 
tOuTLETS FOR EACH PROP 

FAILURE DETECTABLE IN FLIGHT?. N/A 


MISSIONS: HF V F X FF CF Stf 

PKASh(S): PL X LG u'J DO LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 

REDUNDANCY SCREEN: A-N/A fe-N/A 

TIME TO tFFECT: 


1 

C-N/A 


IMMEDIATE 

REFERENCE DOCUMENTS : 
MJ070— OCCl—O I E 


GROUND TURNAROUND?.... .YES SD72-SH-0IC3-E 

GSE EQUIPMENT FLOW RATE AND TANK OUTPUT VS7C-42I0C1 

PRESSURE VAZP-1210C, 13 IOC 


PREPARED BY: 
DES 
REL 


C SCARLETT 
R DIEHL 


APPROVED 6 Y : 

DBS 

REL „ 


.ITEM; DISCONNECT, QCK , P'JKGE, 

, VfcNT, PROPELLANT WITH STRUCTURAL END CAP AND SPRING LOADED POPPET 
{ 1/ 2*’ > * ( MD 11 7., US, 123, 124,127 , 137 , 13 1 , 147,1 1 1 , 1 6 2 , 1 63 , 1 fcA ) . 

.FUNCTION: 

. TO ALLOW GROUND PURGE OF PROPELLANT TANKS AND ASSOCIATED 

MAN IF OLDS /LINES /l HRUSTERS AFTER LANDING L PROPELLANT TANKS FILL, DRAIN 
E VENT 

• FAILURE MODE: FAILS CLOSED (F) 

. DURING GROUND OPERATIONS 

.CAUSE (S) : 

. CONTAMINATION PIECE PaRT STRUCTURAL FAILURE, MECHANICAL ShOCK. 

• EFFECT(S): ON { A) SUES VSTEM ( 6 ) INTERFACES (OMISSION (U )CR EW/VEHIC Lt : 

. (A) LOSS OF PURGE FUNCTION. (B) NO EFFcCT . (C) POTENTIAL LAUNCH 

. DELAY. (D) NONE. 

.CORRECTING ACTION: 

. ATTEMPT TO REMOVE BLOCKAGE ( BACK-FLOW )' OR REMOVE COUPLING AND RE^LaCl 
,P EM ARKS/HAZARDSs 

. NON b. NO REDUNDANCY PROVIDED FOR THIS ITEM. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01090-1 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER 

ITEM Test Quick. Disconnect, Propellant FAILURE MODE Ext, Leakage/Fl jght 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES fx) HO P 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YE$ □ NO P 

USE TO DETECT THE FAILURE? ^ 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES f I P 

IN-FLIGHT DETECTABILITY? ' 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO fx] 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS *YES P NO [X] 

FAILURE MODE (EITHER CY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES □ NO fx] 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT .*YES Pi NO P 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 □ *l[X| 2^ 

ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 


7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A PyESPnoP 

TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? ' 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES QQ*NO □ 

i B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREU/VEHICLE? YES 0*NO □ 

J *EXPLANATIQN REQUIRED (SEE BELOW) 


CHANGE/ RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES 3.Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. Q) HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. D RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



I 1 & 2. V42P1110C, V42P1112C and V42P1113C will detect the failure and issue class 3 alarm 

| (system management blue light on crew-cockpit glare shield) at <500 psia. 

| Gross leak indication is quicker (class 2). 

| 6. Capped quick disconnect provides one redundant success path. 

•s 

1 



i 
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SHUTTLE FAILURE .MODE AMD EFFECTS ANALYSIS - ORB I TER 10 2 


SUBSYSTEM :FWO - REACTION CONTROL 

ASSEMBLY : PRESSURIZATION 

P/N R I : ME27 6— OC'32 

P/N V ENDOR : RR4267 0-5E 7 » R&42 90G— 1£ 3 

QUANTITY : Ia- 

sSE VEN REC’D FOR EACH 
: PROPELLANT 


FMEA NO 03-2F -101090-1 RCV : i l/09/?{ 
ABORT: CRir. rUNC: IF 

C.RJT. HwLS 3 

MISSIONS: hF VF X FF OF SM 

PHASE(S): PL LO X 00 X DO X LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 1 

REDUNDANCY SCREEN! A-PASS b — F AIL C-PASi 


FAILURE DETcCTAELE IN FLIGHT?. YES TIME 10 LrFFtCT: 

HELIUM TANK PRESSURE V42P-11 IOC ,1 1 12C , 11 13C, SECONDS I 0 CAYS 

lllAC REFERENCE DOCUMENTS: 

MJOTC’-OCO 1-01 6 

S POUND TURNAROUND? ....N/A SD72-SH-V. 1 03-2 

VS70— 421001 


PREPARED BY: 
DES 
REL 


C SCARLETT 
R DIEHL 


APPROVED BY: 

OSS 

R£L 


.HEM; DISCONNECT, QUICK, TEST 

. PT. { I/4 S| 3 WITH SPRING LOADED POPPET AND STRUCTURAL CAP. (MO 1U1,1C2, 
1G3, 104, 107, ICS ,109 ,110,111,112,113,114,177 £ 173). 

. FUNCT ION: 

. TO PROVIDE ACCESS TO THE HELIUM SUPPLY SYSTEM AT VARIOUS POINTS IN The 
SYSTEM: (I) RELIEF VALVES/BURST DISCS (2) REGULATORS (3} CnECK VALVtS. 
PROVIDES FOR C/G OF PRESSURIZATION SUB-SYS COMPONENTS. COMPUNtNT 
INPUTS £ OUTPUTS ARE ACCESSABLE AT HE SERVICE PANEL. 

.FAILURE MODE: EXTERNAL LEAKAGE (S) 

. DURING FLIGHT 

• CAUSE <S ) : 

. VIBRATION, PIECE PART STRUCTURAL FAILURE (POPPET, SEAL), HtCHANlLAL 
SHOCK. 

. E FFSCT ( S ) : ON (A) SUBSYSTEM ( S ) INTERFACES (C)MISSIGN ( 0 )CR LW/VehlC LE : 

. (A) LOSS OF HELIUM PRESSURANT. (SECOND ORDER FAILURE). (5) LOSS OF 

. PROPELLANT FEED CAPABILITY. (C) POTENTIAL LOSS OF MISSION DUE Tu 

FLUID LOSS. (0) NONE. ( E) FUNCTIONAL CRITICALITY EFFtCTS - POT EM 1 AL 
LOSS OF HELIUM SUPPLY WHICH COULD RESULT IN LOSS OF VEHIClE IF THE LOSS 
OCCURRED BEFORE ET SEPARATION. 

.CORRECTING ACTION: 

. UTILIZE AFT MODULES TO ORIENT VEHICLE FOR ENTRY AND COMPLETE ABORT . 

. R EM AR KS/H A Z AR DC : 

. NONE. 
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SHUTTLE CRITICAL ITEMS LIST - QRSITEP 102 


• ASSEMBLY 
. P/N RI 


QUANTITY 


:FWD - REACTION CONTROL 

FMEA NO 03-2F 

:PRESSURIZATI0N 

ABORT: 

IHE2T6-0032 


:RR42670-5G7,R642900-l&3 

MISSIONS: HF 

: 14 

PHASE(S): PL 

: SEVEN REQ'O FOR EACH 


:PROP£LLANT 



• 10 1090— I REV: 11/09/ 

CRIT. FUNC: 1R 

CRIT* HOW: 3 

VF X FF OF SM 
LO X CO X DO X LS 


REDUNDANCY SCREEN: A-PASS B-FAIL C-PA 


PREPARED BY: 
OES C 

REL 


SCARLETT 
R DIEHL 


APPROVED h( (MjCjSA 5 
SSH 
RE\ 


x!^* 


APPROVED BY: . 

OES - 'k/X 

REL 

fV ' 'ROVED WITH CHANG ES 

ITEM: 0 1 SCQNNECT » QUICK, TEST S6S Sectlon 13 -° 

PT. (1/4") WITH SPRING LOADED POPPET AND STRUCTURAL CAP. {MO 101,102, 
103 . 104,107, 108, 109, 110 , Hi ,112,113 ,114, 177 £ 173). 


.FUNCTION: 

. TO PROVIDE ACCESS' TO THE HELIUM SUPPLY SYSTEM AT VARIOUS POINTS IN THE 
SYSTEM: (L) RELIEF VALVES/BURST DISCS (2) REGULATORS { 3 ) CHECK VALVES. 
PROVIDES FOR C/0 OF PRES SUP 1 2 AT I ON SUB-SYS COMPONENTS- COMPONENT 
INPUTS S OUTPUTS ARE ACCESSIBLE AT HE SERVICE PANEL. 

-FAILURE MODS: EXTERNAL LEAKAGE ( S) 


« DURING FLIGHT 
-CAUSE! S) : 

<, VIBRATION, PIECE PART STRUCTURAL FAILURE ( POPPET , SEAL), MECHANICAL 
SHOCK. 

- EFFECT! S ) : ON (A) SUBSYSTEM { B ) INTERFACES (OMISSION (DO CREW/ VEHICLE : 

. (A) LOSS OF HELIUM PRESSUR ANT „ (SECOND ORDER FAILURE). C 3 ) LOSS OF 

PROPELLANT FEED CAPABILITY- (C) POTENTIAL LOSS OF MISSION OUE TO 
FLUID LOSS. (0) NONE- (E) FUNCTIONAL CRITICALITY EFFECTS - POTENTIAL 
LOSS OF HELIUM SUPPLY WHICH COULD RESULT IN LCSS OF VEHICLE IF THE LOSS 


OCCURRED BEFORE ET SEPARATION. 

.DISPOSITION G RATIONALE (A) DESIGN (5JTEST ^INSPECTION (D)FAILURE HISiQPr 

. tA) OUAL SEALING SURFACES ON CAP WILL PRECLUDE FAILURE. EACH SEALING 
SURFACE INDEPENDANT OF THE OTHER DESIGN BURST PRESSURE IS TWO TIMES GP 
PRESSURE. IS) EACH COUPLING PROGF TESTED TO AT LEAST 1.5 GPER PRESSUR 
S LEAK TESTED FOR L5 MIN DURING ACCEPTANCE TESTING- (C) AUDIT CONDUCT 
ON IL-3-76 VERIFIs, THAT SUPPLIER INSPECT. INCLUDES V6RIFI. OF RAW MAT' 
PARTS MFG, IDENTIFICATION, AND PROTECTION, ASSY OPERATIONS, NOE EXAM □ 
WELDS, BRAZES, AND MAT 1 L AND EQUIP CONFORMANCE. TURNAROUND INSPECTION 
INCLUDES VISUALLY INSPECTING ALL COUPLINGS THAT HAVE 8EEN USED FOR 
DAMAGE AND LEAKAGE- ALSO, PROPER AHC CAP TORQUE IS VERIFIED UPON 
RE INSTALLATION OF ANY CAPS THAT HAVE BEEN REMOVED. (D) 14 NON-FLIGHT 

EXTERNAL LEAKAGE FAILURES EXPERIENCED ON LK/SM RCS DUE TC PROCESS 
DEFICIENCIES. 



S D 7 5 - S H -0 0 0 3 


*n r m m rn 



HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 090-2 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-5H-001 6A 

ITEM Test Quick Disconnect, Propellant FAILURE MODE Fails Closed/Ground Ops 

1. DOES- THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES □ NO □ 

- ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES P NO f~| 

USE TO DETECT THE FAILURE? ^ 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES '[“] *NO □ 

IN-FLIGHT DETECTABILITY? " . 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO fl- 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *Y£S Fl NO PI 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES n NO P 

INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES P NO P 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAM THE SHUTTLE TOLERATE {CONSIDER CREW *0 □ *lP 2 \~\ 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A PyESPnoP 
TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES Q*NO □ 

8. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES Q*NO □ 

*EXPLANATION REQUIRED (SEE BELOW) 

CHANGE/RETEMTION RATIONALE SUMMARY 

NO H/S ISSUES 3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. Q HARDWARE ACCEPTS RISK 4, □ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



1. Out of scope - ground operations only. 


i 

! 

k 


l 

I 
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shuttle failure mode and effects analysis 


ORBIT CR 1C2 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : PRESSURI ZATION 
P/N R I :ME2?6-G032 
P/N VbND0R:RR4267C-5£7,R6429CC-l£3 
QUANTITY : 14 

: SEVEN REO'D FOR EACH 
: PROPEL LA NT 

FAILURE DETECTABLE IN FLIGHT?. N/A 


FMEA NO 03— 2 F 
ABORT: 


-101090-1 


MISSIONS: HF 

PHASE(S): PL 

NUMBER OF SUCC 
AFTER FIRST FA 
REDUNDANCY SCREEN 


GROUND TURNAROUND?... 
.vU PRESSURE KbAD-OUT 
1 1IAC 


YES 

V42P-lliGC»1112C,ilI2C, 


VF X 
X LG 
ESS PA 
1 LURE : 
: A-P 

TIME 
SECON 
REFER 
MJ070 
S072- 
VS70- 


C.R i T . 
CR1T . 
FF 
GO 

THS RE 

ASS 
TO EFF 
OS ro 
ENCE D 
— CGC1— 
SH-ulO 
421 wO I 


R EV : C 2/06/ 1 : 
FUNC : 
t-.WU: 5 

UF SM 
DO LS 
MAIMING 


-N/A 
ECT: 

HOURS 
OCUMeNT S : 
GIB 
3 — 2 


1 

c-pas: 


PREPARED 


Dc S 
PEL 


SY : 


C SCARLETT 
R DIEHL 


APPROVED BY: 

DtS 

REL 


ITEM: DISCONNECT, QUICK, TEST 

PI. ( 1/4*’ ) WITH SPRING LuaOED POPPET AND STRUCTURAL CAP. <MC lCi,iC2, 
LC-3 ,104, 1C7,1C8 ,109,110,111,112,113,114,177 S 17E ) . 

FUNCTION: 

TG PROVIDE ACCESS TO THE HELIUM SUPPLY SYSTEM AT VARIOUS POINTS IN T ht 
SYSTEM: (1) RELIEF VALVES/BURST DISCS (2) REGULATORS (3) C«ECK VALvbS. 

PROVIDES FOR C/0 OF PRlSSUR IZaT ION SUB-SYS COMPONENTS. COMPONENT 


INPUTS £ OUTPUTS ARE ACCESSABL 
FAILURE MODE: FAILS CLOSED 

during turn-aroumc/ground 

CAUSE (S ) : 

CONTAMINATION, PIECE PART 
EFFECT(S): ON (A) SUBSYSTEM 
(A-) LOSS OF TES 7 /CHECKOUT 


a i he service Panel. 

{FT 

OPERATIONS 

STRUCTURAL FAILURE (POPPET, SEAL;, 
te ) INTERFACES (OMISSION ID) CKEW/Vtr<ICL! 
DATA. (B) INCREASED GKlUND EQUIPMENT 


REQUIREMENTS. (C) POTENTIAL MISSION LAUNCH DELAY. ( J) NONE. 
CORkECTING ACTION: 

TEST AT ALTERNATE POINT (IF AVAILABLE) GR REMOVE AND REPLACE COUPLING. 
REMARKS /HAZARDS: 

NONE.. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 01 095-1 
SUBSYSTEM Fwd. Reaction Control FMEA HUMBER SD75-SH-0016A 

ITEM Helium Quad Check Valve FAILURE MODE Fails Open 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF MOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE hAROWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE BELOW) 


YES □ NO 0 
*YES □ NO p 
YES [X] *N0 □ 

YES Q fiO 0 
*YES □ NO |X] 

*YES □ NO 0 
*YES □ NO 0 
*0 0 *10 20 
N/A 0YES0NO0 


YES 0*110 □ 

YES (Xj*HO □ 


f CHANGE/RETENTION RATIONALE SUMMARY 

1. LS NO H/S ISSUES 

2. □ HARDWARE ACCEPTS RISK 


3. D NO SOFTWARE DETECTION 

4. D DETECTION DURING CHECKOUT 


5. □ACCEPTANCE RATIONALE 'BELOW 

6. □ RECOMMENDED CHANGES BELOW 


0 FMEA CHANGE RECOMMENDED 


EXPLANATION/COMHENTS: 


1. Series redundant. 


6. Series redundant. 
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shuttle failure- mode and effects analysis - crbiter igb 


SUBSYSTEM sFwD - REACTION CCNTRUL 
ASSEMBLY : PRtS SUR I ZATICN 
. P /N R I :MC?3A-04S1-CC01/-GG02 

P/N VENDOR : RSC 1 05 CO— GG1/-G1 1 
QUANTITY :2 

:ONE PER hcLIU.M SUPPLY 


FAILURE DETECTABLE IN FLIGHT?. NO 


FMEA NO C3-2F -1C1G95-I RtV : 1 1 /L'y/H 
ABORT: CR1T. FUNC: 3 

C R i T . HL 0 : 3 

MISSIONS: HF VF X FF OF SM 

PHASE(S): PL LO X 00 X DO X LS 

' NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 1 

REDUNDANCY SCREEN: A-N/A P-N/A C-N/A 

TIME TO EFFECT: 


GROUND TURNAROUND ? YES 

GROUND TEST PORTS 


MINUTES 

REFERENCE DOCUMENTS: 
MJ07G-000 I — C 1 c 
SD 7 2— Sh— u 1 Or —2 
VS70-42I0CI 


PREPARED 


DE S 
REL 


BY: 


R BURKHART 
R DIEHL 


APPROVED 8Y : 

DE S 

REL 


.ITEM: VALVE, QUAD, CHECK, HE 
. ( CV 101/102) 

» c UMCT ION: 

. TG PRECLUDE PROPELLANT VAPORS 'FROM MIGRATING TO REGULATORS {FROM THE 
PROPELLANT TANK). 

.FAILURE MODE: FAILS OPEN <F) 

. OR FAILS TU REMAIN CLOSED { INTERNAL' LEAKAGE ) . 

.CAUSE (S ) : 

. CONTAMINATION, VIBRATION, PIECE PART STRUCTURAL FAILURE, McChAN 1C A L 
SHOCK, VIBRATION. 

. EFFECT (S) : ON (A)SUSSYSTEM (5 ) INTERFACES (OMISSION (0 JCR EW/VErilCLc : 

. (A) LOSS OF REDUNDANCY-SERIES VALVE WILL PROTECT REGULATORS PRUM 

. vapors. (6,c,d> no effect unless multiple failures occur. to 

FUN'CT IONAL CRITICALITY EFFECT - POSSIBLE CONTAMINATION UF RtGuLATuKS 
WITH PROPELLANT VAPORS IF BOTH CnECK VALVES ARE OPEN. 

.CORRECTING ACTION: 

. NONE AVAILABLE. 

.REMARKS/HAZARCS : 

. NO HAZARDS 

ACTION OF PROPELLANT VAPORS AND CONTAMINATION. 



.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03.-2F-1 01095-2 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-0QI6A 

ITEM Helium Quad Check Valve FAILURE MODE Fails Closed 

l 

1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES □ MO [X] 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?. j 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES Q NO H 

USE TO DETECT THE FAILURE? • ^ j 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES H *N0 IT) 

IN-FLIGHT DETECTABILITY? , 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO ® 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? i 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS x *YES H NO [3 

FAILURE MODE- (EITHER EY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *Y£S □ NO [H 

INDUCE ANOTHER FAILURE? * . , ■ . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES Q NO TO 

OTHER FUNCTIONS? j 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 Q *10 2Q 

ACTION AND, HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. j 

7. IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED H/A nYESnilOn 

TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? ! 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: ’ 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES 0*110 □ 

B. WILL 8FS TOLERATE FAILURE WITHOUT LOSS OF CREWAEHICLE? • YES Q*NO Q , 

- ‘EXPLANATION REQUIRED (SEE BELOW) . j 

' CHANGE/RETENTION RATIONALE SUMMARY . j 

1.0 NO H/S ISSUES'- - . 3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW ' j 

2.'® HARDWARE ACCEPTS RISK '4.D DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW j 


□ FMEA CHANGE RECOMMENDED 



1 & 2. Upon using the thrusters, tank ullage pressure will decay until <200 psi which 1 

will give a class 2 caution and warning alarm. ‘ j 


shuttle failure mode and effects analysis 


ORB IT Eh IC2 


SUBSYSTEM : PWD - REACTION CONTROL 
ASSEMBLY : PRESSURIZATION 
P/\! R I :MCZ64— 0481-000 1/-0002 

P/M V END0R:KSCIC5 00-00 1/-01 1 
QUANTITY :2 

:ONE PER HELIUM SUPPLY 


FMtA NO 03— 2 F -101095-2 
ABORT’.' CE1T. 


CR IT 
F F 
00 


FAILURE DETECTABLE IN FLIGHT?. NO 

DUE IQ SMALL P THE LEAKAGE IS NOT QETEC- 

T ABLE 

GROUND TURNAROUND?. YES 

SAME AS FLIGHT IN ST RUMEN TATION 


MISSIONS: HF VF X 

PHASE(S): PL LO X 

NUMBER OF SUCCESS PATHS 
AFTER FIRST FAILURE: 
REDUNDANCY SCREEN: A-PASS 

TIME TO 


K rV : 
FUNC 
HWU 
OF 

X UU X 
RLMAiNl 


ll/iC/7: 
: IK 

* 3 


lS 

nG 


b-fail 

EFFECT : 

MI NUT ES 

REFERENCE DOCUMtr 
MJ C 7C — OL'0 1 —0 1 1- 
SD72 — Sh— : i-Ji-2 
VS7G-A21G01 


I 

C-FaII 


TS: 


PREPARED BY: 

DES R BURKHART 

REL R DIEHL 


APPROVED BY: 

DES 

REL 


ITEM: VALVE, QUAD, CHECK, HE 
(CV 101/1021 
FUNCTION: 

TO PRECLUDE PROPELLANT VAPORS FROM MIGRATING TO REGULATORS (FROM ThE 
PROPELLANT TANK). 

FAILURE MODE: FAILS CLOSED (F) 

RESTRICTED FLOW. 

CAUSE (S ) : 

PIECE PART STRUCTURAL FAILURE, MECHANIC A L SHOCK, ACCELERATION. 

EFFECT! S): ON (A) SUBSYSTEM ( B ) INTERFACE S (OMISSION (0 ) CRtK/Vch IC L l : 

(A) LOSS OF REDUNDANCY - PARALLEL PATH PROVIDES PRESSURaNT FEED. 

( E , C, ) NO EFFECT UNLESS MULTIPLE FAILURES OCCUR. (U) NO tFFECT . 

( E ) FUNCTIONAL CRITICAL EFFECTS - IF FAILURE OCCURS BcFUkt ET SEPARATION 
, LOSS OF DORN FIRING THRUSTERS WILL PREVENT ET St PAR AT I ON AND RESUl'I j.i\ 
LOSS OF CREW/ VEHICLE. 

.CORRECTING ACTION: 

. NONE (BLOWDOWN MAY BE USED AFTER SECOND FAILURE). 

• REM ARKS/HAZARDS: 

. MINIMUM DELTA CRACKING PRESSURE FOR CRACKING IS NECESSARY REQUIREMENT 
TO MINIMIZE SYSTEM PRESSURE DROP TO TANKS. 


60 


original page is 

OF POOR QUALITY 



SHUTTLE CRITICAL ITEMS LIST - 0R8ITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
.ASSEMBLY :PRESSURIZAT ION 
.P/N R I : NC2 8A-— 0A81— 0001 /— 0002 

.P/N VENDORS R SOI 0 500— 00 L/— 0 i 1 
.QUANTITY 52 

. : ONE PER HELIUM SUPPLY 


FMEA NO 03— 2 F -101095-2 REV: 1 1/ 1 u/73 

ABORT: CF.IT* FUNC: IR 

CRIT. HDW: 3 

MISSIONS: HF VF X FF OF S.M • 

PHASE(S): PL LO X DO X DO X L S 


PREPARED BY: 

DES R BURKHART 


REDUNDANCY SCREEN: A-PASS B-F A I L C-FAIL 

= DAV: yf / APPROVE^ .BYl/NASAW: fj 


APPROVED /fSY : s'/ / APPROVE^ BY 

DES SSY • 


KHAR I Utb -t . 

DIEHL REL 


approved with c hanges 

, _ See Section” 1370 

ITEM: VALVE. QUAD » CHECK . HE ^ • 

(CV 101/102) 

FUNCTION: 

TO PRECLUDE PROPELLANT VAPORS FROM MIGRATING TO REGULATORS (FROM THE 
PROPELLANT TANK ) 

FAILURE MODE: FAILS CLOSED (F) 

RESTRICTED FLOW • 


CAUSE(S): 

PIECE PART STRUCTURAL FAILURE. MECHANICAL SHOCK. ACCEL ERA ■ ION . 

EFFECTiS): ON ( A) SUBSYSTEM (8)1 NTERF ACES (OMISSION ( D) CR tW/VEH TCLE: 

(A) LOSS OF REDUNDANCY - PARALLEL PATH PROVIDES PR ESSUR A NT FEED. 

{ B. C » 5 NO EFFECT UNLESS MULTIPLE FAILURES OCCUR. (D) NC EFFECT. 

(E) FUNCTIONAL CRITICAL EFFECTS - IF FAILURE OCCURS BEFOPE ET SEPARATION 
.LOSS OF DOWN FIRING THRUSTERS WILL PREVENT £T SEPARATION AND RESULT IN 


' LOSS OF CREW /VEHICLE., 

.DISPOSITION C RATIONALE { A) DESIGN (B)TEST £ C ) IMS P5CT ION ( 0 ) FAIL UR E HISTORY: 
. (A) VALVE SEAT MATERIAL WILL NOT STICK CAUSING A FAILURE TD CPEN AND 

SPECIFIED MAXIMUM CRACKING PRESSURE IS ONLY 5 PSI- IB) ChECK VALVE TO 
BE CERTIFIED FOR 100.000 CYCLES WITHOUT CHANGE IN PERFORMANCE 
CHARACTERISTICS/ALSO. WILL CHECK GUT EACH VALVE ELEMENT (PARALLEL - 
SERIES) AFTER EACH FLIGHT. VALVE SUBJECTED TO MIN OF 10.6 GRMS 
RANDOM VIBRATION PER AXIS DURING QUAL PROGRAM. (C) AN AUDIT CONDUCTED 
ON 1-16-78 INDICATED THAT SUPPLIER QC VERIFIED RAW M AT • L . CERTIFICATION 
TO SATISFY SHUTTLE DESIGN REQUIREMENTS. VERIFIED PROTECTION OF DETAIL 
PARTS FROM DAMAGE DURING MFG AND TEST. "IN-PROCESS INSPECTION VERIFIED 
MFG TRAVELER SEQUENCES. TURNAROUND INSPECTION TO INCLUDE MONITORING 
FUNCTIONAL TESTS TO VERIFY FLOW AND CHECK FOR LEAKAGE. ( V ) NO FAILURE 


HISTORY. THIS IS A NEW DESIGN FOR SHUTTLE USE- 


£031 
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-HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 02106-1 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-001 6A 

ITEM Propellant Line Flex Assv. FAILURE MODE External Leakage 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES 0 NO □ 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE}?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ NO f~| 

USE TO DETECT THE FAILURE? ' 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES OH *MQ □ 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES R NO 0 

(EITHER 6Y COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES f~l NO [xl 

FAILURE MODE {EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES [”1 NO fxj 

INDUCE ANOTHER FAILURE? • . , 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES H NO HI 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 0 *lG 2H 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A f 1 YESHTi liO j | 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES (X]*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES (0*NO □ 


♦EXPLANATION REQUIRED {SEE BELOW) 



l.Q NO H/S ISSUES ‘ 3.Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 


2. QTJ HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. Q RECOMMENDED CHANGES BELOW 


[Xj FMEA CHANGE RECOMMENDED 



1. V42Pin5C, 1116C will give a class 2 alert once pressure drops to a pre-determined low. 
Gross leak indication occurs first. 

6. No redundancy- avail able. 

7. V42P1116C and V42P1115C goes to shared meter M2 and will show a large pressure drop for 
worst case (large leak). 

FMEA Change - add V42P1116C to "failure detectable in flight". 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


CRB I TER 10? 


SUBSYSTEM :FWD - REACTION' CONTROL 
SSFMcLY ? PROPELLANT FEED 
/N RI : 

/H VENDOR? MC27I-CG95 
UANTITY : 2 

i ONE PER PROPELLANT 


FMEA NO 03-2F 
ABORT? 

MISSIONS? hF 
PhASE(S): PL 

NUMBER OF SUCC 
AFTER FIRST FA 
REDUNDANCY SCREEN 


-1C21C6-I 

LR1 r 
CRIT 
FF 

00 X 
THS K 


AILURE 0 ET ECTA8L E IN FLIGHT?. YES 

POPE LL ANT TANK PRESSURE V42P-131CC AND MANIFOLD 

R ESS UR E 1312CC1316C 


VF X 
LO X 
ESS PA 
I LURE : 
: A-N 

TIME 
SECON 
REFER 
VC-7C- 


K tV? 
FUND 
hWD 
CF 

LO X 
bMA 1.V i 


I 1/09/7. 
? 1 
: 1 
SM 
LS 

ivG 


/A 

TO EF 
LS TO 
ENCE 


B-N/A 
FELT: 

DAYS 

DOCUMENTS : 
41 10C1 


w- 

C-N/A 


SOUND TURNAROUND? YES 

AMfc AS FLIGHT IN ST RUMEN T A T I ON 


MJQ7G-OCOI— CIS 
SD7 2— SH— 0 103~<l- 
VS7C— 421CC1 


PREPARED 


DES 

REL 


BY : 


J. TAGGART 
R DIEHL 


APPROVcD BY: 

DCS 

REL 


ITEM? PROP LINE FLEX ASSY 


FUNCTION: 

TO PROVIDE PROPELLANT FEED TO APPROPRIATE PROPELLANT FE EDLINES . 

failure mode: external leakage is) 


.C AUSE (S ) : 

. MECHANICAL SHOCK, VIBRATION, FlOW, FATIGUE, IMPROPER INSTALLATION (WELD) 
. E FF ECT ( S J : ON (A) SUBSYSTEM { D ) INTbRFAC ES (OMISSION (D JCR EW/’VtlilCLt ? 

. (A) LOSS OF PROPELLANTS. t B ) POTENTIAL CORROSION FROM Pl<EE 

. PROPELLANTS IN MODULE. (C) POTENTIAL MISSION LOSS OR ABORT DECISION. 
(D) POTENTIAL LOSS GP CREW/VEHICLE IF FAILURE RESULTS IN LOSS UP RCS 
FUNCTION BE PORE ET SEPARATION. 

.CORRECTING ACTION: 

. ATTEMPT TO ISOLATE ANO INITIATE ABORT IF REQ'D. 

.REMAOKS/HAZARDS : 

. POTENTIAL HAZARD OF F IR E/ EX PLOS ION FRCM FREE PROPELLANTS. SOME LEAK 
POINTS MAY NOT BE I SOLATA B LE (I.E. B EFO RE/UPSTREAM OF TANK ISOLATION 
VALVES) NO REDUNDANCY PROVIDED FUR LINES. SEE HAZARD NO. lYXX-UBOZ-C't. 
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SHUTTLE CRITICAL ITEMS LIST - OR 8 ITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/N RI : 

P/N VENDOR :MC 2 71— 0095 
QUANTITY :Z 

J ONE PEP. PROPELLANT 


FMEA NO 03-2F -102106-1 R EV: 1 1/0 9 /78 
ABORT: CRI7. FUND: 1 

CRIT. HDf* : 1 

MISSIONS: HF VF X FF OF SM 

PHASE ( S ) : PL LOXOOXDOXLS 


PREPARED BY*. 

DES J. TAGGART 

REL R OIEHL 


ITEM: PROP LINE FLEX ASSY 


REDUNDANCY SCREEN: A-N/A 



APPRTJVlED ZjY: 

DES _ . — • . w - — - 

RE L P . 


APPROVED n 
S SM |Af * 

A — XAcAo 





A PPROVED WITH CHANGES 
See Section 13.0 


.FUNCTION: 

. TO PROVIDE PROPELLANT FEED TO APPROPRIATE PROPELLANT FEECLINES. 

.FAILURE MODE: EXTERNAL LEAKAGE { S ) 

.C AUS E( S } : 

. MECHANICAL SHOCK, VIBRATION, FLOW , FATIGUE, IMPROPER I N$T A LI A T I CN (HELD) 

. EFFECT { SI : ON IAISUBSYSTEM (6)1 NTER C ACES {OMISSION { D ) CP 2WV5H IC LS: 

. i A J LOSS OF PROPELLANTS. IB) POTENTIAL CORROSION FRG M FREE 

PROPELLANTS IN MODULE. fC) POTENTIAL MISSION LOSS OR ABORT DECISION. 

£ D J POTENTIAL LOSS OF CRcW/VEHICLE IF FAILURE RESULTS IN LOSS OF RCS 
FUNCTION BEFORE ET SEPARATION. 

.DISPOSITION £ RATIONALE l A IDESIGN { 8) TEST (C ) INSP ECTI CN (D) FAILURE HISTORY: 
(A) STRUCTURAL MARGIN OF 2.0 WILL MINIMIZE FAILURE MODE POTENTIAL. IB) 
PROOF TESTED TO 1.5 TIMES WORKING PRESSURE AND 65 MINUTES OF RANDOM 
VIBRATION AT ANTICIPATED MISSION LEVELS. (C) IN PROCESS INSPECTIONS 
X-RAY OF WELDS t PENETRANT INSPECT. TURN AROUND INSPECTION INCLUDES 
MONITORING FUNCTIONAL TESTS DURING PRESSURIZATION CYCLE FOR EVIDENCE OF 
LEAKS AND DAMAGE. SUPPLIER INSPECTION DEEMED TO BE SATISFACTORY BASED 
ON SURVEY CONDUCTED ON 4-20-77. (D) NO FAILURE HISTORY FOR THIS 

SPECIFIC DESIGN. 


± 028 c „ 
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.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER 

ITEM 


03-2F-1 02108-1 
SD75-SH-0016A 


Feedline and .Fittings 


FAILURE MODE 


External Leakage. 


1 . 


la. 


3. 


3a. 


5. 


7. 


8 . 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION III RESPONSE)? - 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? . • 

ARE THE ANSWERS TO QUESTIONS 1 AND .la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE . 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? • - 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 


IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL 8FS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) . . 


YES 

0 NO 

□ 

*YES 

□ NO 

p 

YES 

[X] -MO 

□ 

YES 

P NO 

0 

*YES 

□ NO 

0 

*YES 

□ NO 

□ 

*YES 

□ NO 

0 

*0 E 

I *lD 

2D 

M/A □ YES[j(J iji 

op 

YES 

GO *N0 

□ 

YES 

QQ*no 

□ 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES 

2. [xj HARDWARE ACCEPTS RISK 


3. □ NO SOFTWARE DETECTION 
4. 0 DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. 'D RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 

EXPLANATION/COMHEHTS: 

1. V42P1115C, 1116C will give a class 2 alert once pressure drops to a p re-determined low. 

Gross leak indication occurs first. 

6. No redundancy available. 

7. V42P1115C and V42P1116C goes to shared meter M2 and will show a large pressure drop for 
worst case (large leak). 
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ShUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


OhSITER 112 


SUBSYSTEM : FWC - RE AC 
.A SSEKELY : PROPELLANT 
,P/N k I : V070-4-21C0 
. P/N VENDOR: 

.QUANTITY : 1 

: ONE SET PE 


TICN CONTROL 
FEED. 

1 


R PROPELLANT 


FMEA NO 
ABORT: 


G3-2F -1C21C- 


MISSIONS: HF VF X 

PHaSE(S): PL LO X 

NUMBER OF SUCCESS PA 
AFTER FIRST FAILURE: 
REDUNDANCY SCREEN: A-N 


.FAILURE DETECTABLE IN 
.PROPELLANT TANK PRESS 
.PRESSURE 1312C 


FLIGHT?. YES 
URE VA2P-13IOC 
£ 13IEC 


GROUND TURNAROUND?. .. 
.SAME AS FLIGHT INSTRU 


MEN TAT10N 


AND MANIFOLD 


TIME 

St CON 

REFER 

V070- 

Mj07C 

SC72- 

VS 70- 


S-l k EV : i 
CR IT. FuNC : 
CR 1 T « hWL> • 
FF OF i 
00 X DU X I 
THS KLMA1NI! 

/A B-N/A 
TO EFFECT: 

DS TO DAYS 
ENCZ DuCUMEf 
^2 1 C 0 1 
-COC I-Clb 
SH-C 103-2 
A 21001 


PREPARED 5Y: 
DES 
REL 


SI EGELI N 
R DIEHL 


APPROVED BY: 
DCS _ 
RtL _ 


.ITEM: FEEDLINE AND FITTINGS 

. FROM TANK TO I) TANK VALVES TO 2) MANIFOLD VAlVES, TO 3) T n.RuST ERS . 

.FUNCTION: 

. TO PROVIDE FEED TO APPROPRIATE PROPELLANT COMPONENTS FOtv THRUSTER 
OPERATION - 3 AXIS ACCELERATION CONTROL AND ROTATIONAL CONTROL. 

.failure mode: external leakage (S) 

.CAUSE (S): 

. MECHANICAL SHOCK, VIBRATION/FATIGUE, STRUCTURAL FAILURE,, IMPROPER 
INSTALLATION (WELD) . FLUID FITTING SEAL FAILURE. 

.EFFECT(S): ON (A) SUBSYSTEM ( B ) INTERFACES (OMISSION ( D )CR lW/VEHI ClE : 

. (A) POTENTIAL LOSS OF PROPELLANTS. (3) POTENTIAL CORROSION FROM hKc'E 

. PROPELLANTS IN MODULE. (C ) POTENTIAL MISSION LOSS OR ABGkT DtCiSluN. 
(C). POTENTIAL LOSS OF CREW/ VEHICLE IF LEAKING PROPfcLLANT EXPLODES DUE 
TO CONTACT WITH CATALYTIC AGENT OR HEAT SOURCE WITH SUSSfcQUtNT LOSS OF 
FORWARD MODULE OR I F LOSS OF PROPELLANT PROHIBITS tT SEPARATION. 

.CORRECTING ACTION: 

. ATTEMPT TO ISOLATE AND INITIATE ABORT IF REC*D. 

.r em arks /hazards : 

. POTENTIAL HAZARD OF FIRE/EXPLOSION FROM FREE PROPELuANTB. SOME LEAK 
POINTS MAY NOT BE ISOLATABLE (I.E. b EFG RE/UP STREAM OF TANK ISOLATION 
VALVES) NO REDUNDANCY PROVIDED FOR LINES. Sic HAZARD NO. 1 YXX-03G2-0A . 
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SHUTTLE CRITICAL ITEMS LIST - CRBITER 102 


SUBSYSTEM :EWD - REACTION CONTROL 
ASSEMBLY : P RGPELLANT FEED * 

P/N RI :V 070—421001 
P/N VENDOR: 

QUANTITY J1 

:ONE SET PER PROPELLANT 


FMEA NO 03— ZF -10 2108-1 REV: 12/08/ 
ABORT: CR IT. FUNC: L 

CRIT. KDW : L 

MISSIONS: HF VF X FF OF SM 

PHASE(S): PL LG X CO X 00 X LS 


REDUNDANCY SCREEN: A-N/A B-N/A C-N/ 



ITEM: FEEDLINE AND FITTINGS 

FROM TANK TO L) TANK VALVES TO 2 ) MANIFOLD VALVES, 
FUNCTION: 


See Section 13.0 
TO 3) THRUSTERS. 


TO PROVIDE FEED TO APPROPRIATE PROPELLANT COMPONENTS FOR THRUSTER 
OPERATION - 3 AXIS ACCELERATION CONTROL AND RGTATICNAL CONTROL. 
FAILURE MODE: EXTERNAL LEAKAGE (S) 


-CAUSEC S ) : 

. MECHANICAL SHOCK, VIBRATION/FATIGUE, STRUCTURAL FAILURE, IMPROPER 
INSTALLATION (WELD). FLUID FITTING SEAL FAILURE. 

. EFFECT ( S ) : ON (A) SUBSYSTEM (8) INTERFACES (OMISSION (D ) CREW/VEHICLE: 

. (A) POTENTIAL LOSS OF PROPELLANTS* (B) POTENTIAL CORROSION FROM FREE 

PROPELLANTS IN MODULE . (C) POTENTIAL MISSION LOSS OR ABORT DECISION. 

C D1 POTENTIAL LOSS OF CREW/VEHICLE IF LEAKING PROPELLANT EXPLODES DUE 
TO CONTACT WITH CATALYTIC AGENT OR HEAT SOURCE WITH SUBSEQUENT LOSS OF 
FORWARD MODULE OR IF LOSS OF PROPELLANT PROHIBITS ET SEPARATION. 
.DISPOSITION S RATIONALE ( A ) DESIGN (B)TEST (C } INSPECTION (D)FAILURE HISTORY 
. (A) FACTOR OF SAFETY GF 4.0 WILL MINIMIZE FAILURE POTENTIAL. DYNATUBE 

FITTINGS HAVE DUAL SEALS. WELO CONSTRUCTION REDUCES JOINTS & POSSIBLE 
LEAK PATHS. FASTENING CLAMPS AND TUBE SEND DESIGN ALLOWS DEGREE OF 
MOVEMENT WHICH HELPS PREVENTING LEAKS. (B) POST INSTALLATION TEST AMD 
OPERATIONAL CHECKOUTS HILL VERIFY SYSTEM INTEGRITY. ALL LINES SUBJECTED 
TO PROOF TEST OF U25 X MAX OPERATING PRESSURE OR 1.1 X SURGE (TRANSIT) 
PRESSURE WHICHEVER IS GREATER. PERFORMED TUBING CERTIFICATION PER 
"ORBITER TU8ING VERIFICATION PLAN S075-SH-02 05 " . (C) IN-PROCESS INSPECT 

INCLUDES NOT & CHECKS DURING INSTALLATION. TURNAROUND INSPECTION 
INCLUDES MONITORING FUNCTIONAL TESTS DURING PRESSURIZATION CYCLE FOR 
EVIDENCE OF LEAKS. VISUALLY INSPECT FOR OAM AGE WHERE ACCESSIBLE. 
HARDWARE INSPECT ION IN ACCORDANCE WITH PLANNING RQMTS APPROVED BY NASA 
(0) MINOR FAILURE HISTORY-CORROSION AND FAB PROBLEMS REPORTED DURING 
APOLLO PROGRAM AND CORRECTED WITH APPLICABLE TMO/TPC REQUIREMENT. 


aooo 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 02120-1 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-0001 6A 

ITEM . AC Motor Operated Valvp (Tank) FAILURE MODE Faik Clnqpri 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (l.e., AUTOMATICALLY 

! • ANNUNCIATE OR TAKE ACTION III RESPONSE)?- 

i la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIOIIS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

! 3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 

FAILURE MODE- (EITHER. BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? • . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? • 

- ^EXPLANATION REQUIRED (SEE BELOW) 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

m 

*N0 

□ 

YES 

□ 

NO 

a 

*YES 

□ 

NO 

a 

*YES 

□ 

NO 

0 

*YES 

□ 

NO 

m 

u 

o 

* 

1 : 

*□ 


N/A □yESBnoQ 

YES 0*NO □ 
YES O*N0 □ 


CHANGE/ RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES . _ . . 3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE 3ELCV 

2.'jTJ 'HARDWARE ACCEPTS RISK 4. Q DETECTION DURING CHECKOUT 6. Q RECOMMENDED CHANGES BELOW 


I 


t 

1 

j 

t 


i 


■ P| FMEA CHANGE RECOMMENCED 
EXPLANATIOfl/COMMEHTS : . ' 

1. "RCS JETS" light on caution and warning panel. 

6. The manifolds are in parallel (2 legs) giving one redundant path. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS'- ORSITEK 102 


SUBSYSTEM :FWD - 
ASSEMBLY : PROPEL 
P/M ft 1 :<MC234- 

P/N VENDOR : 57S0C2 
QUANTITY :4 

; 7 WO RE 


REACTION CONTROL 
LANT FEED 
C 4-30 -0007/ —3 COS 
5/575GC26 

O'D PER PROP TANK 


Failure detectabl 

THRUSTER CHAMBER 
R V 42' P—1212— If: 16, 

3 ROUND TURNAROUND ' 
S AY t AS FLIGHT 


FMEA NO 03— 2 F - 
ABORT: ABORT, 
RTLS 

MISSIONS: hF 

PHASEIS): PL 

NUMBER UF SUCCE 
AFTER FIRST FaI 
REDUNDANCY SCREEN: 

E IN FLIGHT?. YES 

PRESS., MANIFOLD PRESSURE MONITO 
1312- 1316, 1521— 1532 


lUfcl 




.YES 


VF X 
LO X 
SS PA 
LURE: 
A-P 
TIMe 
SB CON 
REFER 
MJ07C 
SD72- 
VS 70— 


o-i k hV : 

CRIT. FUNC 
CK IT. httU 
FF OF 
QG X DU 
TnS i\c MA INI 


11/ I C/7 
: lft 

: 2 
S m 
LS 

mC. 


ASS F-F ASS 
TO EFFECT: 

DS 

ENCc DOCUMENTS: 
— 0CC1 — III b 
Sm— 0 1 03— 2 
A21uC1 


1 

C-PAS; 


PREPARED BY: 

DES R GONZALEZ 

rel r diehl 


.ITEM: VLV, AC MOTOR OPERATED - 
. Tank (1 1/2“ ). (LV 161-164). 

.FUNCT ION: 

. I) PROVIDES ISOLATION UF TANKS FROM MANIFOLDS. 2) PROVIDES BACK-UP 
SHUT-GFP/ISGLaT I DM OF PROP MANIFOLDS AND ASSOCIATED l HiUSTEr-.S * 
COMPONENTS. El -STABLE, (TANK PRL'SSURE-2^3 PS1). AC MOTOR DRIVEN 3 
PHASE (2 OF 3 WILL ACTUATE VALVE) lib TO 200 VOLTS 400 HZ . 

.FAILURE MODE: FAILS CLOSED ( F) 

. POSITION - INCLUDES RESTRICTED FLUW TO LEVEL THaT DOES NuT aLLO* PROPER 
MIXTURE RATIO. 

.CAUSE (S) : 

. VIBRATION, STRUCTURAL FAILURE. PREMATURE POWER TO MUlUK, ELBCI'kICAu. 
SHORT. 

. £ EF FC 7 { S ) : ON (A) SUBSYSTEM ( B ) INTERFACES (OMISSION ID )CRErt/ VEHICLE : 

. (A) LOSS GF PROPELLANT FLOW IN TWO MANIFOLDS AND SuESEOUcvT LOSS OF 

. THRUSTER FUNCTION (THRUSTER BURN-THRU DUE TO OXID RICH MIXTURE). (S) 
POSSIBLE bURN-TbRU PROROGATION. (C) LOSS OF MISSION. ABORT DECISION. 
(D) POTENTIAL VEHICLE DAMAGE FROM COLLISION WITH RtNDEVCUS TARGGcT, 
AFTER SECOND FAILURE. CRIT L FOR RTLS ABORT. 

.CORRECTING ACTION: 

. UTILIZE REMAINING FGRWARD ThRUSTERS IN COUPLE WITH APPROPRIATE aFT 
THRUSTERS FOR BRAKING. DE-ORBIT WITH AFT MODULES 
.REMaRKS/MAZARDS : 

. POTENTIAL HAZARD OF EXPLOSION IF OX V,ALVt FaILS. SEE PARKER FMEa f- KhH 
5 75 0023 . 


APPROVED BY: 
DES 

kel 
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SHUTTLE CRITICAL ITEMS LIST - CRBITER 102 


SUBSYSTEM :FWO - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/N RI :MC2 84— 0430—00 07 /— 0008 
P/N VENDOR: 575 0025/5750026 
QUANTITY =4- 

;TVtO REQ* D PER PROP T *NK 


FMEA MO 03— 2 F 
ABORT: ABORT, 
RTLS 

MISSIONS: HF 

PHASE { S ) : PL 


— 102 120— I • REVsll/10/- 

CP IT. FUNC: 1R 

CRIT. HDW : 2 

VF X. FF OF SM 

LO X CC X DO LS 


REDUNDANCY SCREEN: A-PAS5 


PASS C-PAS 


PREPARED 

OES 

R6L 


BY: 


R 


GONZALEZ 
R DIEHL 


APPROVED/BY: 
DES 
RE 


rKUV fcU/O Y : /7 // 

l v 






RO VED WITH CHANGES 
Section 13.0 


PROVIDES BACK-UP 


ITEM: VLVr AC MOTOR OPERATED - 
TANK (1 1/2”)- (LV 161-164). 

FUNCTION: 

I) PROVIDES ISOLATION OF TANKS FROM. MANIFOLDS. 2) 

SHUT-OFF/ rSOLAT ION OF PROP MANIFOLDS AND ASSOCIATED THRUSTERS* 

COMPONENTS.. 8T— STABLE* (TANK PRESSURE-245 PSD. AC MOT CR DRIVEN 3 
PHASE (2 OF 3 WILL ACTUATE VALVE) 115 TO 200 VOL^S 400 HZ. 

FAILURE MODE: FAILS CLOSED (F) 

POSITION - INCLUDES RESTRICTED FLOW TO LEVEL THAT DOES NOT ALLOW PROPER 
MIXTURE RATIO. 

CAUSE! S): 

VIBRATION* STRUCTURAL FAILURE. PREMATURE POWER TO MOTOR, ELECTRICAL 
SHORT.. 

EFFECT IS}: ON { A) SUBSYSTEM ( B ) INT ERF ACES (OMISSION CD) CR EV-/VEH ICLE: 

(A) LOSS OF PROPELLANT FLOW IN TWO MANIFOLDS AND SUBSEQUENT LOSS OF 
THRUSTER FUNCTION (THRUSTER BURN-THRU DUE TO OX ID RICH MIXTURE 3 . C B1 
POSSIBLE BURN-THRU PROROGATION- (C) LOSS OF MISSION. ABORT DECISION. 

(D) POTENTIAL VEHICLE OAMAGE FROM COLLISION WITH RENDEVOUS TARGGET, 

AFTER SECOND FAILURE- CRIT L FOR RTLS ABORT. 

DISPOSITION £ RATIONALE (A) DESIGN (B)TEST { C ) INSP ECT ION (O)FAILURE HISTORY: 
( A J VALVES ARE ALWAYS OPEN- DUAL SERIES SWITCHES WILL PPEClUDE SINGLE 
FAILURE PREMATURE ACTUATIGN. SHORTED RPC WILL NOT CLOSE VALVE. ( B) 

EACH VALVE IS SUBJECTED TO ACCEPT TEST VIBRATION. VALVE IS SUBJECTED TG 
48 MIN OR RANDOM VIS IN EACH AXIS AT ANTICIPATED MISSION LEVELS ANO AM 
ENDURANCE TEST EGUIV- TO 100 MISSIONS DURING THE QUAL TEST PROGRAM. 

EACH VALVE SUBJECTED TO PROOF PRESSURE OF 1500 PSIG. MORE THAN 4 X 
WORKING PRESSURE- CC> AUDIT CONDUCTED 7-1-76 VERIFY SUPPLIER INSPECTION 
CONTROL OF PARTS ID AND PROTECTION* MFG PROCESSES* ELECT TERMINATIONS. 
TURNAROUND INSPECTION INCLUDES MONITORING TEST TO VERIFY ELECTRICAL 


POWER TO VALVE FDR 
EXPERIENCE- 


EVIDENCE OF SHORT CIRCUITY- (0) NO FLIGHT FAILURE 
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S D75 -SH -0 003 



HARDWARE/SOFTWARE ANALYSIS CHECKLIST 
Fwd. Reaction Control pMEA NUMBER 


03-2F-1 02150-1 
SD75-SH-OG1 6A 


luick Disconnect 


FAILURE mode External Leakaqe 


1. DOES- THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
- ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? ' 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? ^ 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

* EXPLANATION REQUIRED (SEE BELOW) 


YES 0) fi0 □ 
*YES □ NO p 
YES [X| + N0 □ 

' yes □ NO 0 
*YES Q NO [X] 

*YES P NO 0 
*YES P NO HJ 

*0 □ *1[I] 2Q 

N/A DyESDnoD 

YES 0*t;o □ 

YES 0*NO □ 


CHANGE/RETENTION RATIONALE SUMMARY 

NO H/S ISSUES 3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.[p HARDWARE ACCEPTS RISK 4.0 DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW' 



3 FMEA CHANGE RECOMMENDED 



1. The tank pressure drop (worst case/full open) will be detected by V42P1115.C, 1116C; 
unless regulated the gross leak indication will detect it. Also measurements 1313C, and 
1314C appear obsolete and should be removed from the FMEA. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


GRBITtk IC2 


SUE SYSTEM :FWD - REACTION CONTROL 

ASSEMBLY : PROPELLANT 

P/N R I :KC2?6-001S 

P/N VENDOR: 7630 10LC 

QUANTITY : 6 

: T hRE E REO PER PROPELLANT 


FMEA NO 03-2F -10215 C-I 
ABORT: C Rif. 


REV : 12 /l b/7; 


MISSIONS: HF VF X 

PHASb(S) : PL LG X 

NUMBER OF SUCCESS PATHS 
AFTER FIRST FAILURE : t 


FUN C: 
CR IT . hWD : 
FF OF Sh 
00 X 00 X LS 
REHA INIiVG 


REDUNDANCY SCREEN: A-N /A B-N/A C-N/A 


FAILURE DETECTABLE IN FLIGHT?. YES 
LOSS OF TANK PRESSURE V42P-1310C, 
1312C, 1313C* 1314C , . 1315C TANK TEMP 

I3G0 AND 1400 

GROUND TURNAROUND? N/A 


TIME TO EFFECT: 
SECONDS TO DAYS 
REFERENCE DOCUMcNTS: 
MJC70— GCC-1— C'lb 
S072— Sh— G1 03— 2 
VS 70-42100 1 


PREPARED BY: 

DES C SCARLETT 

RE L R D I EH L 


APPROVED BY: 

DES 

REL 


ITEM: DISCONNECT, QUICK, FILL 

PROPELLANT, SPRING LOADED POPPET (I STRUCTURAL CAP <MC119-i26) . 
c UNCTION: 

TO PROVIDE FOR DRAI NlNG , VENTING, AND BLEEDING PROPELLANT TANKS. IN 
BOTH HORIZONTAL AND VERTICAL VEHICLE OR IENTaTIGiM . 

FAILURE MODE: EXTERNAL LEAKAGE (S) 

DURING FLIGHT 
CAUSE ($ ) : 

V IS RATION , AND LOOSENING OF RETAINER NUT, PIECE PART STRUCTURAL FAILURE, 
MECHANICAL SHOCK. 

EFPECT(S): ON (A) SUBSYSTEM (6 ) INTERFACES (OMISSION ( D )CR EW/ VEHICLE : 

(A) LOSS OF PROPELLANT OVERBOARD (1ST ORDER FAILURE FOR LOOSE RETAINING 
NUT). (8) POSSIBLE FIRE/EX PLOS ION IF FUEL REACTS Wllrt CXlDiZtK (2ND 
ORDER ) OR EXTREME HEAT DURING RE-ENTRY. (C) POSSIBLE LOSS OF MISSION 
DUE TO FLUID LOSS. ( C) POSSIBLE LOSS OF CREW/ VEHICLE IF FAILURE QCClRS 
PRIOR TO ET SEPARATION. 

.CORRECTING ACTION: 


. INITIATE ABORT OR RESCUE OPERATIONS. 

. R EM AR KS/H AZ A R DS : 

. POTENTIAL HAZARD FROM FIRE, EXPLOSION, 
HAZARD 1YXX-0 302-05 . 


AND FREE PROPELLANTS, 


original page is 

©/"Vrtrj 


SEE 
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SHUTTLE CRITICAL ITEMS LIST - GRBITER 102 


SUBSYSTEM :PWD - REACTION CONTROL 

ASSEMBLY : PROPELLANT 

P/N RI :MC276-0018 

P/N VENDGR:76301000 

QUANTITY r 6 


FMEA NO 03-2F -102150-1 REV:12/08/78 

ABORT: CRIT. FUNC: 1 

CR IT . HDH : i 

HISSIQNS: HF VF X FF OF SM 

PHASEIS): PL LQ X DC X DO X LS 


: THREE REQ PER PROPELLANT 

REDUNDANCY SCREEN: 

PREPARED BY: - APPROVED BY: , 

DES C SCARLETT DES T 

REL R DIEHL REL Z** 


-ITEM: DISCONNECT t QUICK, FILL 

. PROPELLANT, SPRING LOADED POPPET £ STRUCTURAL CAP 

.FUNCTION: 

. TO PROVIDE FOR DRAINING, VENTING, AND BLEEDING .PROPELLANT T ANKS . IN 
BOTH HORIZONTAL AND VERTICAL VEHICLE ORIENTATION. 

•FAILURE MODE: EXTERNAL LEAKAGE (SI 

. DURING FLIGHT 

.CAUSECS ): 

. VIBRATION, AND LOOSENING OF RETAINER NUT, PIECE PART STRUCTURAL FAILURE, 
MECHANICAL SHOCK. 

. EFFECT ( S ) : ON { A) SUBSYSTEM [ B 5 INTERFACES (OMISSION ( D)CREW/V=HICLE: 

(A) LOSS OF PROPELLANT OVERBOARD (1ST ORDER FAILURE FOR LOOSE RETAINING 
NUTi. (BJ POSSIBLE FIRE/EXPLOS I ON IF FUEL REACTS WITH OXIDIZER {2ND 
ORDER) OR EXTREME HEAT DURING RE-ENTRY. (C) POSSIBLE LOSS OF MISSION 
DUE TO FLUID LOSS. (D) POSSIBLE LOSS OF CREW/VEHICLE IF FAILURE OCCURS 
PRIOR TO ET SEPARATION. 

.DISPOSITION £ RATIONALE ( A ) DE SIGN (B)TSST (C ) INSP ECTION { D ) FAILURE HISTDRY: 
(A) CAP SEAL DESIGN DETERMINED TO BE ADEQUATE TO PRECLUDE LEAKAGE. 

DESIGN FACTOR OF SAFETY IS 3.0 X 710 PSIG MAX WORKING PRESSURE. CAP 
PLUS COUPLING CONSTITUTES DUAL SEALING. ALL RETAINER NUTS ARE PROPERLY 
TORQUED TO PRECLUDE LOOSENING. (B) SEALS ARE EXPOSED TO OVER 500 CYCLES 
DURING DEVELOPMENT. CQJPLINGS ARE SUBJECTED TO 600 OPERATIONAL CYCLES 
IN DUAL TEST. ALL CAPS £ COUPLINGS LEAK TESTED FOR 3 MIN. AT PRESSURES 
UP YO 1.25 MAX WORKING PRESSURE DURING ACCEPTANCE TEST. 

TURNAROUND LEAK CHECKS PERFORMED BEFORE EACH FLIGHT. RANDOM VIBRATION 
PERFORMED DURING QUAL PROGRAM. 68 MINUTES IN TWO EXES AT ANTICIPATED 
MISSION LEVELS. (C) TURNAROUND INSPECTION INCLUDES VISUAL INSPECTING 
ALL COUPLINGS -THAT HAVE BEEN USED DURING TURNAROUND FOR DAMAGE PLUS 
INSPECTING FOR LEAKS DURING LEAK CHECKS- ALSO, PROPER BLEED SCREW 
TORQUE IS VERIFIED PRIOR TO REINSTALLATION OF ANY CAPS THA T HAVE BEEN 
REMOVED. SUPPLIER AUDIT CONDUCTED 4-5-77 VERIFIED THAT SUPPLIER 
INSPECTION CONTROLS RAW MATERIAL PARTS IDENTIFICATION, MFG PROCESSES, 
CONTAMINATION CONTROL, AND STORAGE ENVIRONMENTS. (D) NEW DESIGN FOR 
SHUTTLE APPLICATION. NO FLIGHT FAILURE HISTORY. 


A-N/A B-N/A C-N/A 

PD BY.y^NA SA f) 

PPftO'VED WITH CHANGES 
See Section 13.0 

(MD119-126). • 
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s D75 -SH -0 003 



HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 021 50-2 
SUBSYSTEM Fwd. Reaction Control FMEA number SD75-SH-0016A 

ITEM Quick Disconnect FAILURE mode Fails Closed/Ground Ops 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? ' 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (COilSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 

CHANGE/RETENTIOfi RATIONALE SUMMARY 
1.0 NO H/S ISSUES 3.p NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2 . □ HARDWARE ACCEPTS RISK ' 4. JZJ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 

t 

\ 

I 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMEHTS : 


Out of scope - ground operations only. 


YES 

□ 

NO 

□ 

*YES 

□ 

NO 

P 

YES 

□ 

*N0 

□ 

YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*0 □ *l| 

□ 

zD 


N/A □yESQnoQ 

YES Q-ilO □ 

YES O*N0 Q 


* 

! 

T 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS — GR3I FER 101 


SUBSYSTEM : FWO - REACTION CONTROL 

ASSEMBLY : PROP ELL ANT 

P/N PI :MCZ7f.-CG18 

P/N VENDOR: 761010 00 

QUANTITY : fc 


FMEA NG 03-2F -102150-2 REV: 06/27/7. 
ABORT: CHIT. FuNC: 

CR1T. HWD: 3 

MISSIONS: HF Vf X FF OF SM 

PHASE { S ) s PL X LO 00 DO LS 


: NUMBER OF SUCCcSS Pa TnS REGAINING 

: THRE E REQ PER PROPELLANT AFTER FIRST FAILURE: 

REDUNDANCY SCREEN: A-PASS B-N/A C 

FAILURE DETECTABLE IN FLIGHT? . NA TIME TO EFFECT: 

SECONDS TO HOURS 
REFERENCE DOCUMENTS 


0 

— PaS 


GROUND TURNAROUND? YES 

GROUND EQUIPMENT FLOW RATE READ OUT 


M J 07 0 — C 0 0 1 — D 1 b 
SD72—SH— 0103-2 
VS70-4210C1 


PREPARED BY: 

0£S C SCARLETT 

REL R DIEHL 


ITEM: DISCONNECT, QUICK, FILL 

PROPELLANT, SPRING LQaCEQ POPPET E STRUCTURAL CAP (MDll?-i2c). 
FUNCTION: 

TO PROVIDE FOR DRAINING, VENTING, AND BLEEDING PROPELLANT TANKS . IN 
SOT r; HORIZONTAL AND VERTICAL VEHICLE ORIENTATION. 

FAILURE MODE: FAILS CLOSED IF) 

CURING GROUND OPERATIONS 
C 4USE (S) : 

CONTAMINATION, PIECE PART STRUCTURAL FAILURE IMPROPER HANDLING. 
EFFECT! S): ON ( A) SUBSYSTEM ( 6 ) INTERFACES (OMISSION ( D )CR tw/ VchIC LE : 
(A) LOSS OF FILL CAPABILITY. <B) INCREASED GROUND OPBRATiUNS 
REQUIREMENTS. (C) LAUNCH DELAY. (D) NONE. 

CORRECTING ACTION: 

REMOVE AND REPLACE FILL VALVE OR ATTEMPT RECONNECT ION. 
REMARKS/HAZARDS : 

NONE. 


APPROVED BY: 

DtS 

K&L 
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- HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 02170-1 
:col_ FMEA NUMBER Sn75-SH-0m fiA 


1 . 

la. 

2 . 

3. 
3a. 

4. 

5. 

6 . 

7. 

8 . 


Bbfil (uiTliliBlliIdViHdU 


ernier 


FAILURE MODE 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES 0 NO □ 

ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES H NO fl 

USE TO DETECT THE FAILURE? ^ 

ARE THE ANSWERS TO OUESTIONS I AND la CONSISTENT WITH THE FMEA .EVALUATION OF YES DC) *N0 □ 

IN-FLIGHT 0ETECTA8ILITY? ^ j 

DOES THE FLIGHT SOFT!, 'ARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO 0 S 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? j 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES R NO 0 ! 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES □ NO fx} 

INDUCE ANOTHER FAILURE? • . „ 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES □ NO Pf 

OTHER FUNCTIONS? 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 □ *lfxl 2Q 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

IF CREW ACTION IS REQUIRED TO RESPOND TQ THIS FAILURE MODE, ARE CUES PROVIDED N/A flYES® NoH 
TO SIGNAL IKE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES (Tj*f!0 □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES 0*NO Q 


♦EXPLANATION REQUIRED (SEE BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES ' 3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2,(X) HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



1. Manifold status on CRT and panel talk back is available. 

6. One failure is all that can occur since there is no redundancy. The Shuttle can 
tolerate this failure since.it is a criticality 3. 

\ 

7. The measurements V42X1332X and V42X1232X are downlisted and available for CRT callup. 



SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - ORB I TER 




5 Us SYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/\ f PI : KC 28^- 0920—001 1/-0012 

P/N VENDOR : 73395-00 11/-0C 12 
QUANTITY : 2 

: ONE REC'D PER PROPELLANT 


FMEA NO 03-2F -1C217C-I RcV: 12/Ofc/V. 
ABORT: Ck IT. FuNC: 2 

CHIT. htoO: 2 

MISSIONS: HF VF X FF OF 3* 

PHASE(S): PL LO OG X DO LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 0 

SCREEN: A-PASS B-PASS C-FaIs 

TIME TO EFFECT: 

SECONDS 

REFERENCE DOCUMENTS: 
MJC70— C001— 01 B 
SD72— Sh— 3 I C - — Z 
VS70-A21G01 


REDUNDANCY 


FAILURE DETECTABLE IN FLIGHT?. YES 
MANI FLO POSITN INDICATOR V42X123 2E 
'/A2X1332E 


I P.OUN D TU RN AROUND ? . 
SAME AS FLIGHT 


.YES 


PREPARED 

D5S 

REL 


BY : 


R BURKHART 
R D I cH L 


APPROVED BY: 

DES 

REL 


.ITEM; VLVE,CC SGLEN OPERATED - 

. VERNIER THRUSTER MANIFOLD, ( 1/9 » ) 51— STABLE, SOLENOID DRIVEN ZcVDC. 

(LV 157-158) 

.FUNCT ION: 

. T L- PROVIDE ISOLATION OF PROPELLANT MANIFOLD AND ASSOCIATED VERNIER 
THRUSTERS 1) SUBSEQUENT fO DUV/N STREAM Fa1lUR£(S) 2) PRIOR TO SYSTEM 
ACTIVATION. 

.failure mode: fa ils closed-premature <f) 

. OPERATION 

.CAUSE(S) : 

. IMPROPER ELECTRICAL SIGNAL {CONTINUOUS SHORT), PIECt PART FAILURE, 

C ON TAMI NAT i ON , VI ER AT ION. 

. ? PF EC T ( $ ) : ON (A) SUBSYSTEM ( B ) INT ERFaCES (OMISSION (0 )CR Eg/VEHIC lE: 

. (A) LOSS OF VERNIER ThNUSTER FUNCTION. (3) NONE. (C) POSSIBLE EARlY 

. MISSION TER.nl'NA T IO'V « BECAUSE LARGE THRUSTEP^ INADECUaI E FuK SMALL RATE 
ATTTTUOE hOLD. (D ) NONE. 

.CORRECTING ACTION: 

. ATTEMPT TO UTILIZE LARGE THRUSTER IN AFFECTED AXIS TU MAINTAIN SMaLL 
DEADBAND. 

. R EX AK KS/H A Z ARDS : 

. POTENTIAL FOR COLLISION WITH OR LOSS OF PAYLOAD/SATELLITE. SEl 
CONSOLIDATED CONTROLS FMEA # 73895 FMEA 1. 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER 102 


SUBSYSTEM :F«D - REACTION CONTROL 
ASSEMBLY : PRO D SLL ANT FEED 
P/N RI :M 0284-0420— 001 1/— 0012 

P/N VENDOR: 73895-C011/-0012 
QUANTITY : 2 

: ONE REQ'O PER PROPELLANT 


FME A NC 02-2F -102170-1 REV:12/03/7 

ABORT: CRIT. FUNC: 2 

CR IT . HDw: 2 

MISSIONS: HF VF X FF CF SM 

PHASE I S ) : PL LO 00 X 00 LS 


REDUNDANCY SCREEN: A-PASS 3-PASS C-FAI 

PREPARED BY: AP PRCV c% SY: ft APPROVED B / (NASA): (jf 

DES R BURKHART DES . SSM U} , 

REL R DIEHL REL * RSJySj.. 

ITEM: VLV5.DC SCLEN OPERATED - 

VERNIER THRUSTER MANIFOLD, [1/4"} SI-STABLE, SCLENCID DRIVEN 28VDC. 

(LV 157-153) 

FUNCTICN: 

TO PROVIDE ISOLATION CF PRC R ELLA NT MANIFOLD AND ASSOCIATED VERNIER 
THRUSTERS 1) SUBSEQUENT TO DOWNSTREAM FAIL'JREIS) 2) P^ICR TO SYSTEM 


ACTIVATION. 

.FAILURE MODS: FAIL CL CSED-.PR EM A TUBE ( F.) 

. OPERATION 
.CAUSE! S) : 


IMPROPER ELECTRICAL SIGNAL (CC; 
CONT AMINAT ION. VIBRATION. 


NT I MUCUS SrCRT) 


; E PAR' 


: A I LU RE , 


. E rFEC T ( S ) : ON (A)SJSSYSTEH { 5 1 INTERFACES (OMISSION (D } C- EV./ VEH ICLE : 

. (A) LOSS OF VERNIER THRUSTER FUNCTION. (3) NONE. (C) D CSSIBLE EARLY 

MISSION TERMINATION. BECAUSE LARGE THRUSTS 3 S INADEQUATE FOR SMALL RATE 
ATTITUDE HCLD. CD) NONE. 

.DISPOSITION C RATIONALE ( A } DE SIGN (S)TEST (C ) I NS D EOT ION (OFAXLURE HISTORY: 
. (A) SERIES CONTROL CIRCUITRY PROVIDED TO MINIMIZE FAILURE MODE, 100 

MICRON FILTER IS PROVIDED. MEDIA HAS SEEN FILTERED TC 25 MICRON PRIOR 
TC ENTERING TANK. SPECIAL E U PBA$AS PLACED GN THE DESIGN AND LAYOUT OF 
SOLENOID HIRING TO PRECLUDE SHORTS- (3) QUAl TEST INCLUDES 43 MINUTES 
PER AXIS OF RANDOM VIBRATION AT ANTICAPTED MISSION LEVELS AND LIFE 
TESTING CONSISTING OF 2000 OPERATING CYCLES. ITEM IS USED DURING SYSTEM 
EVALUATION AT WHITE SANDS TESTING. (C) TURNAROUND INSPECTION INCLUDES 
MONITORING T=STS TO VERIFY ELECTRICAL PC«ER TQ SCLENGIO VALVE FOR 
EVIDENCE OF SHORT CIRCUIT, SUPPLIER AUOIT CONDUCTED 8-31-77 VERIFIED 
SUPPLIE INSPECTION EXCERCISEO CONTROL OF PARTS ID, PARTS PROTECTION, KFG 
PROCESSES, CONTAMINATION CONTROL, AND CQRRGSICN PROTECTION VERIFICATION. 
(D) FAILURES GN APOLLO WERE MOSTLY DUE TO CONTAMINATION RESULTING FROM 
IN-HOUSE PROCESSING. 
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- HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-11 111 0-1 

SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-00] 6A 

ITEM Tank Assembly and Propellant FAILURE MODE Large Rupture 


Devic 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TARE ACTION IN RESPONSE)?. 

la. IF HOT i DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? ' ■ 

2. ARE THE ANSWERS TO CUESTIONS 1 AND la CONSISTENT WITH THE FMEA. EVALUATION OF 
IN-FLIGHT DETECTABILITY? . 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? • . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE KAROWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTUARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A. CAN THE BFS 8£ ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE. BELOW) 


Y£S 0 NO □ 
*YES Q NO Q 
YES □ -NO [X] 
YES P NO 0 
*YES □ NO 0 

*YES □ NO 0 
*YES O NO 0 

*0 £] *lQ 2P 

N/A DyesQnoP 


YES [Xj*f!0 □ 

YES O*N0 0 


CHANGE/RETENTION RATIONALE SUMMARY 

1 . □ NO H/S ISSUES ; 

2. D HARDWARE ACCEPTS RISK 


3. '0 NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ACCEPTANCE RATIONALE BELOW 

6. '□ RECOMMENDED CHANGES BELOW 


In-F'light Detectability 

OD FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. V42P1115C, 1116C will give a class 2 caution and warning alert. 

Gross leak indication will detect failure. 

If an internal rupture occurs and helium reaches the thrusters you will get a "fail off" liaht 
from redundancy management. . U9rvc 

6. There are no redundant, tanks. 


8b. Backup flight system same as primary. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


ORblTtR If 2 


S US SYSTEM iFWD - REACTION CONTROL 
ASSEMBLY .‘PROPELLANT FEED 
D /N R 1 :MC 28 2—0061 -0001/0002 

P/\* VENDOR : 8 3 5C 33 2 0COU-CC9/010 
quantity :z- 

iOhb REQ'D 
•‘PER PROPELLANT 

FAILURE DETECTABLE IN FLIGHT?. YES 


MONITOR TANK PRESSURES V4 2P131CC 
11L6C 

i 

GROUND TURNA ROUND ? YES 

sake as flight 


FMEA NO 03-2F -1111IC-1 REV: 12/19/7: 
AEORT: CRIT. FUND: 1 

CPir. HWu*: 1 

MISSIONS: HF VF X FF OF SM 
PHASE IS): PL X LO X GU X CD X LS 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 0 

EDUNDANCY SCREEN: A-N/A F-N/a C-N/A 

TIME 10 EFFECT: 

13 i2c » 13 i 6 c » seconds 

REFERENCE DOCUMENTS: 

MJO 70— OCQl — CIS 
S072— SH— u 103— Z 
VS7C— A-21 001 


PREPARED BY: 
DES 
REL 


APPROVED BY: 

R SEMIS DES 

R DIEHL REL 


HEM: TANK ASSY , PROPELLANT 

INCLUDING PROPELLANT ACQUISITION DEVICE AND COMPARTMENT BARRIER. (TK 
1 02 ) . 

FUNCTION: 

TO STORfc/SUPPLY PROPELLANT TO REACTION CONTROL ENGINE MANIFOLDS. 
NOMINAL STORAGE PRESSURE 2A5 PSIG + OR -15 (1.5 SAFETY FACTOR). 

FAILURE MODE: STRUCTURAL FAILURE - <S) 

TANK WALL CRACK OR RUPTURE WhlCrl PROROGATES AROUND TANK 
CAUSE (S): 

V lb RATION » OVER PRESSURIZATION t MECHANICAL SHOCK, STRESS CORROSION, 
FATIGUE. 

EFrrCTtS): ON (A) SUBSYSTEM (B ) INTERFACES (OMISSION (OCR EW/V LhlC L h s 
(A) LOSS OF PROPELLANT SUPPLY FOR MODULE THRUSTERS. (8) PGTEM iAL 
FIR '/EXPLOSION AND CERTAIN CONTAMINATION OF SUBSYSTEMS IN RLS 
COMPARTMENT. (C) LOSS OF MISSION. (D) POTENTIAL LUSS UP CREW/VEhICLl 
FROM EXPLOSION AND/GR LACK OF PROPELLANT. 

.CORRECTING ACTION: 

. NONE AVAILABLE 
.R EM ARKS/HAZARDS: 

. POTENTIAL HAZARD FROM FIRE, EXPLOSION DUE TO FREE FUEL IN MCLULE. 
REFtRENCE HAZARDS 1YXX-C302-G2 AND 1YXX-03C2-0A . 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM JFWD - REACTION CONTROL 
ASSEMBLY :PROPELLANT FEED 
P/N R£ :MC2S2—0C6 1-000 1/0002 

P/N VENDOR: 8 55C332 CQOO— 009/Q L 0 
QUANTITY : 2 

: ONE REQ'O 
: P ER PROPELLANT 


FMEA NO 03— 2 F -lllliO-i R£V:ll/09/ 
ABORT: CRIT. FUNC: L 

CRIT. HOf? : L 

MISSIONS: HF VF X FF OF SM 
PHASE ( S ) : PL X LO X 00 X OQ X LS 


REDUNDANCY SCREEN: A-N/ A B-N/A C-N/i 


PREPARED BY: APPROVED BY: A 
OES R BENI S DES S 
REL R DIEHL REL R 


ITEM: Tank. ASSY, PROPELLANT 

INCLUDING PROPELLANT ACQUISITION DEVICE 4N0 COMPARTMENT BARRIER, (TK 
103). 

FUNCTION: 

TO STQRE/SUPPLY PROPELLANT TO REACTION CONTROL ENGINE MANIFOLDS- NOMINAL 
STORAGE PRESSURE 245 PSTG +'CR -15 (1-5 SAFETY FACTOR). 

FAILURE MODE: STRUCTURAL FAILURE - {$) 

TANK WALL CRACK OR RUPTURE WHICH PROROGATES ARC UNO TANK 
CAUSE(S) : 

VIBRATION, OVERPRESSUR I ZATI ON , MECHANICAL SHOCK, STRESS CORROSION, 
FATIGUE. 

EFFECT! S ) : ON (A) SUBSYSTEM ( B 1 INTERF ACES (C1MISSICN ( 0 ) CREW/ VEH ICLffs 
t A > LOSS OF PROPELLANT SUPPLY FOR MODULE THRUSTERS. 13) POTENTIAL 
FIRE/EXPLOSION ANO CERTAIN CONTAMINATION OF SUBSYSTEMS IM RCS 
COMPARTMENT. IC) LOSS OF MISSION. CO) POTENTIAL LOSS OF CRFW/V EH I CL E " 
FROM EXPLOSION AND/OR LACK OF PROPELLANT. 



See Section 13.0 


• DISPOSITION €. RATIONALE (A ) DESIGN ( 5 ) TEST IC 3 INSPECTION { D) FAILUkE HISTORY: 
'* (A) DESIGN FACTR OF SAFETY IS 1.5 MIN. DEVELOPMENT TESTS INCLUDE WELD 

CYCLE LIFE (SOO CYCLES ) , FRACTURE MECHANICS, FORGING EVALUATION, AND 
TUBE SWAGING. (B) TANKS SUBJECTED TO RAO IOGRAPHI C , FLUORESCENT 
PENETRANT, PROOF PRESSURE 11.33 MAX OPER PRESSURE), AND EXTERNAL LEAK 
TESTS DURING ACCEPTANCE TESTING., TANKS SUBJECTED TO 90 DAY PRO PELL AN T 
EXPOSURE, 800 PRESSURE CYCLES, 48 MINUTES PER AXIS OF 3.9 GRMS RANDOM 
VIBRATION ANO BURST PRESSURE DURING QUAL PROGRAM. (C) TURNAROUND 
INSPECTION INCLUDES MONITORING FUNCTIONAL TEST DURING PRESSURIZATION 
’CYCLE FOR EVIDENCE OF LEAKS* VISUAL INSPECT WHERE ACCESSASLE FOR 
DAMAGE* AUDIT CONDUCTED 11-1-76 YERI C IED SUPPLIER INSPECTION CONTROL OF 
HATL IDENTIFICATION PARTS PROTECTION MFG PROCESSES, CORROSION PROTECTION 
PROVISIONS r NDE EXAM OF WELDS AND STORAGE ENVIRONMENTS. (D) NONE {NEW 
DEVELOPMENT ITEM).. 


si 1032 


S D75-SH -0003 



SUBSYSTEM 


■ HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-11 1110-2 
Fwd Reaction Control FMEA DUMBER •' SD75-SH-0016A 


1. DOES THE FLIGHT SOFTWARE CETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
* ANNUNCIATE OR TAKE ACTION IN RESPONSE}?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER 6Y COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFT WARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? ■ 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 0 NO □ 
♦YES □ NO p 
YES □ *N0 [7J 

YES □ NO Q 
*Y£S Q NO [X] 

♦YES □ ho GO 
♦YES Q NO QJ 

*0 B *!□ 2D 

m □ YESfX^NoQ 


YES £]*f{0 □ 

YES □♦NO g] 


CHANGE/RETENTIQN RATIONALE SUMMARY 
1.0 NO H/S ISSUES - . _ ... . 

2.'JZJ HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELCW 

6. □ RECOMMENDED CHANGES BELOW 


-Flight Detectability 

FMEA CHANGE RECOMMENDED 


EXPLAHATION/COMMENTS : " 

1. V42P1115C, 1116C will give a class 2 caution and warning alert. 

Gross leak indication will detect failure. 

If an internal ruputre occurs and helium reaches the thursters you will get a "fail off" light 
from redundancy management. 

6. There are no redundant tanks. 


8b. Backup flight system same as primary. 


SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - OkBITSK 102 


SUBSYSTEM : PW D - REACTION CONTROL 
.ASSEMBLY : PROPELLANT FEED 
. ? /N R I : KC2B 2—0061 — OCC 1/C002 

.P/M VENDOR: 25 5C 53 2000 0-009/ Cl C 
.QUANTITY : 2 
. <: ONE REQ ' 0 

. t PER PROPELLANT 


FMEA NO 03— 2 F -11 1 110-2 RfcV:12/ib/7: 

ABORT : CKLf. FUNC: 2 

GRIT. h AO: 2 


MISSIONS: HF VF X FF OF SM 
PHASE(S): PL X LO X CO X 00 X lS 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 0 

REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


• FAILURE DfcTECTASL £ IN FLIGHT?. YES 

.MONITOR TANK PRESSURE V4ZP-13I0C,1312C ,13 16C, 

. 1 116C 


• GROUND TURNAROUND? YES 

.SAME AS FLIGHT AND VISUAL OBSERVATION 


TIME TO EFFECT : 

CAYS 

REFERENCE DOCUMENTS: 
MJ37C-CCC1-CIF 
SD72-SH— C1G5-2 
VS70-A21C01 


PREPARED PY: 

D6S R BEMIS 

REL R DIEHL 


. ITEM: tank ASSY, PROP EL LAN f 

. INCLUDING PROPELLANT ACQUISITION DEVICE AND COMPARTMENT EAKRiLK. (In 
1 03 ) . 

.FUNCTION: 

. TO STORc/SUPPLY PROPELLANT TO REACTION CONTROL ENGINE MaNI FOLDS • 

NOMINAL STORAGE PRESSURE 245 P.SIG + OR -15 (1.5 SAFETY FAC 1 0R ) . 

.FAILURE MODE: EXTERNAL LEAKAGE - (S) 

. Tank CRACK OR FLAW WHICH ALLOWS A LIMITED AMOUNT OF PRO PEL L ART TO LeAVE 
THE TANK. 

.CAUSE (S): 

. V 18 RATION * STRESS CORROSION, PRESSURE CYCLES, FATIGUE OK FLANGE S A L 

failure. 

. E FFECT ( S ) : ON ( A) SUPS YSTEM ( B ) INTERFACES (C)MlSSION IC)CA£W/VcmICL;S 
. i A > LOSS OF A QUANTITY OF PROPELLANT AND HELIUM TO AN EXTENT DEPENDENT 

. ON SI 2 E AND LOCATION OF LEAK. (B) CONTAMINATION OF SURROUNDING AREA AND 
SUBSYSTEMS. (C) LOSS OF MISSION. (D) POTENTIAL EXPLOSION AND LOSS OF 
CRLW/VEH1CLE IF IGNITION SOURCE PRESENT (SECOND FAlLURc). 

.CORRECTING ACTION: 

. CLOSE HELIUM PRESSURIZATION ISOLATION VALVE TO MINIMIZE AMOUNT OF 
PROPELLANT/hELIUM LOST. 

• REM ARKS /HAZARDS : 

. POTENTIAL HAZARD FROM FREE PROPELLANT IN MODULE. NO REDUNDANCY PROVIDED 
FOR THIS ITEM. REFERENCE HAZARD 1YXX-03 02-05 . 


APPROVED BY; 
OcS _ 
REL . 


ommL 

of poqm 
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SHUTTLE CRITICAL ITEMS LIST - 0P3ITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/N RI : MC2 62- 0 CSl— 0001 /0002 

P/N VENDOR: 855C332 0000-009/ 91 0 
QUANTITY : 2 

: ONE REQ' D 

:PER propellant 


FMEA NO 03-2F -111110-2 REV: 11/10/7 
ABORT: CRIT. FUNC: 2 

CP IT . HDrf : 2 

MISSIONS: HF VF X FF OF SM 
PHASE { S 3 : PL X LO X 00 X DO X LS 


PREPARED BY: 

DES 

REL 


REDUNDANCY SCREEN: 
,Y: 


A-N/A B-N/A 


C-N/A 


R SEMIS 
R DIEHL 


AP PRO 
DES 


APPROVED B.y/(NASA): 


AHPKU Vjcu BY/{NA60J: 

_ ^ ssm 

R MjO^dxuX 


^ APPROVED WITH CHANGES 

ITEM: TANK ASSY, PROPELLANT See Section 13.0 

INCLUDING PROPELLANT ACQUISITION DEVICE AND CO MP ARTMENT BARRIER. <TK 
103 ) » 

FUNCTION: 

TO STORE/SUPPLY PROPELLANT TO REACTION CONTROL ENGINE MANIFOLDS. NOMINA 
STORAGE PRESSURE 245 PSIG *- OR -15 11.5 SAFETY FACTOR). 

FAILURE MODE: EXTERNAL LEAKAGE «- {S3 

TANK CRACK. OR FLAW WHICH ALLOWS A LIMITED AMOUNT OF PROPELLANT TO LEA'/p 
THE TANK, 


-CAUSE! S3 : 

- VIBRATION, STRESS CORROSION, PRESSURE CYCLES, FATIGUE OR BLANGc SEAL 
FAILURE, 

• EFFECT (S3: ON { A) SUBSYSTEM IB 3 1 NTERF ACES {OMISSION C 0 ! CR EV./ VEH ICLE : 

* (A) LOSS DF A QUANTITY OF PROPELLANT AND HELIUM TO AN EXTENT DEPENDENT 
ON SIZEAND LOCATION OF LEAK. (B) CONTAMINATION OF SURROUNDING AREA AND 
SUBSYSTEMS- (C) LOSS OF MISSION- (D3 POTENTIAL EXPLOSION AND LOSS OF 
CREW/VEHICLE IF IGNITION SOURCE PRESENT (SECOND FAILURE). 

-DISPOSITION C RATIONALE I A 1 DE SIGN (B3TEST (C 3 IN SPECTI ON ( D 3 FAILURE HISTORY: 

- U) DESIGN FACTR OF SAFETY IS 1.5 MIN, DEVELOPMENT TESTS INCLUDE HELD 
CYCLE LIFE (BOO CYCLES), FRACTURE MECHANICS, FORGING EVALUATION, AND 
TUBE SWAGING- C B 1 TANKS SUBJECTED TO RAD I OGR APHI C, ■ FLUGRESCENT 
PENETRANl, PROOF PRESSURE (1-33 MAX OPER PRESSURE), AND EXTERNAL LEAK 
TESTS DURING ACCEPTANCE TESTING- TANKS SUBJECTED TO 90 CAY PPCPELL ANT 
EXPOSURE, GOO PRESSURE CYCLES, 48 MINUTES PER AXIS OF 3.9 GRMS RANDOM 
VIBRATION AND BURST PRESSURE DURING QUAL PROGRAM. (C) TURNAROUND 
INSPECTION INCLUDES MONITORING FUNCTIONAL TEST DURING PRESSURIZATION 
CYCLE FOR EVIDENCE OF LEAKS- VISUAL INSPECT WHERE ACCESSABLc FOR 
DAMAGE- AUDIT CONDUCTED 11-1-76 VERIFIED SUPPLIER INSPECTION CONTROL OF 
MATL IDENTIFICATION PARTS PROTECTION HFG PROCESSES, CORROSION PROTECTION 
PROVISIONS, NDE EXAM OF WELDS AND STORAGE ENVIRONMENTS. (D) NONE (NEW 
DEVELOPMENT ITEMS. 
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HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 1111 0-3 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-SH-001 6A 


FAILURE MODE 


Restricted Flow 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIOHS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE ■ 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAM THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

♦EXPLANATION REQUIRED (SEE. BELOW) 


YES g NO □ 
*YES □ NO p 
YES □ *N0 P 
YES P NO P 
*YES □ NO [X] 

*YES □ NO [X] 
*YES P NO {X] 

*0 Q *!□ 2p 

M/A □YEsQ.-lOp 


YES P*NO □ 

YES □*ilO □ 


CHANGE/RETEHTIOM RAT I OH At E SUMMARY 

1. Q NO H/S ISSUES 

2. [3 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. P RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/ COMMENTS : 


"Fail Off" detection in RCS RM. 

No redundant tanks, 

_ No „cor.recti ng-action--*- abort, _ 


Same as primary. 
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ShUTTLE FAILURE ‘-'ODE AND EFFECTS ANALYSIS 


ORE IIEk 1C 2 


SUBSYSTEM : FWO - REACTION CONTROL 
ASSEMBLY : PROPELLANT FEED 
P/N R I : NC28Z—0C61— 0001/0002 

F/fv V EN OCR : 6 5 5 C 33 2C CO C-CC 9/ 01 C 
QUANTITY : 2 

: ONE KEQ'D ’ 

:PER PROPELLANT 

FAILURE DETECTABLE IN FLIGHT?. YES 


ENGINE PERFORMANCE 

G ROUND TURNAROUND? NO 


FMEA NO 03-2F -I111IC— 3 K2V:i2/iB/7 

ABORT: Cklf. FUNC : 1 

CRH. HWC: I 

MISSIONS: HF VF X FF uF SM 

PHASt(S): PL LC X UO X LG X LS 

NUMBER OF SUCCESS PA TnS REMAINING 
AFTER FIRST FAILURE: 0 

REDUNDANCY SCREEN: A-N/A E-N/A C-N/A 

TIME TO EFFECT: 

SECONDS Tu DAYS 
REFERENCE DOCUMENTS: 
MJG70-C0GI— Cl B 
SD72-SH-C 1C3-2 
VS 70-421 OC 1 


PREPARED BY: 
DES 
REL 


APPROVED BY: 
k fa EMI S DES __ 

R DIEHL REL 


I T B : TANK ASSY » PROPELLANT 

INCLUDING PROPELLANT ACQUISITION DEVICE AND COMPARTMENT E-ARk i ER . (TK 
1 03 J . 

FUNCTION: 

TO STORE/SUPPLY PROPELLANT TO REACTION CONTROL ENGINE MANIFOLDS. 

NOMINAL STORAGE PRESSURE 245 PSIG + DR -15 (1.5 SAFETY FaCIUR). 

FAILURE MODE: RESTRICTED FLOW - (S) 

STRUCTURAL FAILURE u’F PROPELLANT ACQUISITION DEVICE WHICH BLOCKS UR 
RETARDS RATE OF FLOW OF PROPELLANT INTO TANK OUTLET . 

CAUSE(S): 

VIBRATION , MECHANICAL SHOCK, EXCESSIVE FLOW RATES CUE TO EXCESSIVE GaS 
IN THRUSTER MANIFOLD. (SEE FAILURE MODE NO. 4 O.v NEXT PAGO). 

SFFLCT(S): ON ( A) SUBSYSTEM (B ) iNTLKFACt S (OMISSION (D )CR tW/Vfrt I OLE : 

(A) LOSS OF FULL PROPELLANT FLOW CAPABILITY/HElIUM INGESTION. (bj NOxc. 
(C) LOSS OF MISSION CUE TO LOSS OF PRGPELLaNT. (U) NOnc UXlBSS FaIlU^E 
OCCURS WHEN MODULE REQUIRED FOR ET SEPARATION. 

CORRECTING ACTION: 

NONE AVAILABLE - CLOSE DOWN FRCS AND ABORT MISSION. 

REMARKS/HAZARDS : 

COMPLETE LOSS OF FRCS USAGE THEREFORE ALL ATTITUuE CONTROL MUST dE 
ACCOMPLISHED BY ARCS. 


ORIGINAL PAGE IS 
OF POOR QUALITY 
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SHUTTLE CRITICAL ITEMS LIST - ORB ITER 102 


SUBSYSTEM = FWD - REACTION CONTROL 
ASSEMBLY iPROPELLANT PEED 
P/M RI :HC 2 82— 0061-0001 /0002 

P/N VENDOR 1 8 55 C3 32 0000-009 /OLO 
QUANTITY : 2 


FHEA NO 03-2F -111110-3 REV: L1/10/7S 
ABORT: CRIT. FUND: 1 

CRIT. HDto : l 

MISSIONS: HF VF X FF OF SH' 

PHASE(S): PL LO X HO X DO X IS 


: ONE 
rPER 


REQ'D 

PROPELLANT 


REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


PREPARED 

DES 

REL 


BY: 


BEMIS 

DIEHL 


APPROVi 
DES _ 
REL . 


APPROVED BY, 

SSH , 4 _U* 





^PROVED WITH 


See Section 

AND COMPARTMENT BARRIER. 


ITEM: TANK ASSY, PROPELLANT 

INCLUDING PROPELLANT ACQUISITION DEVICE 
1031. 

FUNCTION: 

TO STORS/SUPPLY PROPELLANT TO REACTION CONTROL 
STORAGE PRESSURE 245 PSIG * OR -15 (1.5 SAFETY 
FAILURE MODE: RESTRICTED FLOW - C S ) 

structural FAILURE OF PROPELLANT ACQUISITION DEVICE WHICH BLOCKS OR 
RETARDS RATE OF FLOW OF PROPELLANT INTO TANK OUTLET. 


CHANGES 

1370 


ENGINE MANIFOLDS. 
FACTOR). 


(TK 


NOMINA 


• CAUSE(S): 

. VIBRATON, MECHANICAL SHOCK, EXCESSIVE FLOW RATES DUE TO EXCESSIVE GAS 
IN THRUSTER MANIFOLD. (SEE FAILURE MODE NO. A ON NEXT PAGE). 

• EFFECT { S } : ON { A> SUBSYSTEM ( B ) INTERFACES (OMISSION (D)C P.EV / VEHICLES 

. ‘ (A) LOSS DF FULL PROPELLANT FLOW C AP AB I L ITY/ HEL IU M INGESTION. IB) NONE. 

(Cl LOSS OF MISSION DUE TO LOSS OF PROPELLANT. (D) NONE UNLESS FAILURE 

OCCURS WHEN MODULE REQUIRED FOR ET SEPARATION. 

.DISPOSITION & RATIONALE (A) DESIGN (S)TEST (C ) I NS PECT ION t D ) F AILURE HISTORY: 

. (A) 1.5 DESIGN SAFETY FACTOR. DEVELOPMENT TESTS VERIFY WELD CYCLE LIFE, 

SCREEN REPAIR METHOD* SCREEN CYCLE LIFE AND SCREEN FLOW . IB) PROPELLANT 

ACQUISITION DEVICE COMPONENTS,. SU8ASS EHSLI ES AND TANK ASSY IMTEGRI i Y 

VERIFIED BY PERFORMING BUBBLE POINT TEST- TANKS SUBJECTED TO PROPELLANT 

’ EXPOSURE, 200 EXPULSION CYCLES, 48 MINUTES PER AXIS OF 3.9 GR M S RANDOM 

VIBRATION AND BURST PRESSURE DURING QUAL PROGRAM- (C) TURNAROUND 

INSPECT INCLUDES MONITOR FLOW DURING FUNCTIONAL TESTS * AUDIT CONDUCTER 

11-1-76 VERIFIED SUPPLIER INSPECTION CONTROL OF MATL IDENTIFICATION 

PARTS PROTECTION MFG PROCESSES, CORROSION PROTECTION PROVISIONS, NDE 

EXAM OF HELDS AND, STORAGE ENVIRONMENTS. 

(D) NONE ( NEW DEVELOPMENT ITEM).' 

1 


103387 


SD75-SH-0003 



1 . 

la. 


.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 1111 0-4 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER SD75-SH-001 6A 

ITEM Tank Assembly and Propellant Acquisition FAILURE MODE Loss of Gas in Propellant 


DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE -(i.e., AUTOMATICALLY YES fx] NO Q 

ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ NO fXl 

USE TO DETECT THE FAILURE? ^ 


2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA .EVALUATION OF YES f j *.N0 fxl 

IN-FLIGHT DETECTABILITY? UJ 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES □ NO [X] 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES P NO P] 

FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES H NO Hi 

INDUCE ANOTHER FAILURE? • .. 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES □ NO HF 

OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 [xl *!□ 20 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED M/A nYESHMoQ 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 


A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? - YES (£j*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES Q*NO [g 

♦EXPLANATION REQUIRED (SEE BELOW) ... 


CHANGE/RETENTION RATIONALE SUMMARY 

1.0 NO H/S ISSUES - 3. P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2.[TJ HARDWARE ACCEPTS RISK 4. □ DETECTION DURING CHECKOUT 6. Q RECOMMENDED CHANGES 8EL0W 


[XlFMEA CHANGE RECOMMENDED 



1. "Fail Off" detection in RCS RM. 

6. No redundant tanks. 

7. No correcting action - abort. 

8. Same as primary. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS - URBITER 102 


sue 

ASS 
U /N 
P/N 
? UA 


FA I 


SYSTEM : FWD - REACTION CONTROL 
EM SLY : PROP EL lANT FEED 
RI : M.C282— CC-61 -OOC 1/GOC2 

YEN DO R : &5 5C33 2C00 C-OOv/ 010 
•\TITY : 2 


REQ'D 


,cY' 




A" 


: ONE 

: PER PROPELLANT f , 

•m>?' REDUNDANCY 
LURE DETECTABLE IN FLIGHT?. YES 
INc PERFORMANCE AND C riAKBER PRESSURE . V^2 PI 5A 1 


FMEA NO 03-2F -11111 C-A 
ABORT: CR1T 

ckit 

MISSIONS: HF VF X Ft- 

.PHASE(S): PL X LC \ -OC 

NUMBER OF SUCCESS PATh.S 
AFTER FIRST FAILURE: 

SCREEN: A.— N/A 

TIME TO 


K EV: 12/1 5/7, 
FL'iVL : 2 

h^u : 2 

OF SM 
X DO X LS 
REMAINING 


GROUND TURNAROUND?. NO 


B— N/A C— N/A 

EFFECT: 

SECONDS 

REFERENCE DOCUMcNIS: 

M JG7C— COO 1— C I t 
SD72-SH— C1C3-2 
VS70-421CC1 


PREPARED 

DES 

REL 


EY: 


&EMI S 
DIEHL 


APPROVED br: 

OcS 

RtL 


ENGl.Nc MANIFOLDS 
SAFETY FAC I OR). 


ITEM: T AN X ASSY, PRGP EL LA NT 

INCLUDING PROPELLANT ACQUISITION DEVICE AND COMPARTMENT BARRIER . (TK 

102 ). 

FUNCTION: 

TO STGRE/SUPPLY PROPELLANT TO REACTION CONTROL 
NOMINAL STORAGE PRESSURE 245 PS IG + OR -15 (1.5 
c A I LURE MODE: LOSS OF GAS RETENTION IN (S) 

PROPELLANT ACQUISITION DEVICE (PAD). 

CAUSE (S ) : 

vie ration, shock, propellant contamination (chemical ok cikd. 

EFFECT (S): ON (A) SUBSYSTEM { b ) INTERFACES (OMISSION (UCKtK/VcrtlC 
(A) EXCESSIVE GAS FLOW TO THRUSTERS COULD CAUSE TANK BARRIER FA 
( E ) POTENTIAL DAMAGE TO THRUSTERS IF UNDETECTED. (C) AsUkT DE 
(D) POSSIBLE LOSS OF CREW/VEHIClE IF FAILURE OCCURS PRIOR TO lT 
SEPARATION. 

CORRECTING ACTION! 

Shut DOWN FRCS AND ABORT MISSION. 

REMARKS/HAZAROS: 

IF UNDETECTED, THE THRUSTERS COULD EE DAMAGED WHICH COULD CAUSE ENTRY 
UNCERTAINTY. 


Lt: 

ILuRt . 
Cl SION. 
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SHUTTLE CRITICAL ITEMS LIST - 0R8ITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY rPROPELLAMT FEEO 
P/N RI :MC2 82— 0C61 — OOOL/QOOZ 

P/N VENDOR : 8 55C33 2 0000-0 09/0 L 0 


FME A NO 03—2 F -111110-4 


QUANTITY 


PREPARED 

DES 

REL 


: 2 

5 ONE 
: PER 


BY: 


ABORT : 

MISSIONS: 
PHASE(S) : 


HF 

PL 


VF 

LO 


CP IT. FUNC 
CR IT . H0« 

cp op 
CO X DO X 


REV: 11/10/ 
: 2 

2 

SM 
LS 


REQ* D 

PROPELLANT 


REDUNDANCY SCREEN: A-N/ A 


R 

R 


SEMIS 

DIEHL 


APPROVED, 8^: 

des 

REL JL 





APPROVED 
SSM 
REf\ 


CHANGE 


See Section 

COMPARTMENT BARRIER. 


13.0 

(TX 


ENGINE M AK I FCLOS . 
FACTOR ) . 


MOM I - 


IT EH: TANK ASSYt PROPELLANT 

INCLUDING PROPELLANT ACQUISITION DEVICE AND 
103} . 

FUNCTION: 

TQ STORE/SUPPLY PROPELLANT TO REACTION CONTROL 
STORAGE PRESSURE 245 PSTG > CR -15 (1.5 SAFETY 
FAILURE MOOE: LOSS OF GAS- RETENTION IN IS) 

PROPELLANT ACQUISITION DEVICE (PAD). 

CAUSE! S): 

VIBRATION, SHOCK t PROPELLANT CONTAMINATION (CHEMICAL 'OR DIPT). 

EFFECT! S}: 3N MJSU8SYST5H { B ) INTERFACES f C).M I SS ION ( 0) CR EW/VE’H ICLE : 

(A) EXCESSIVE GAS FLO Vj TO THRUSTERS COULD CAUSE TANK BARRIER FAILURE. 
(3) POTENTIAL DAMAGE TO THRUSTERS TF UNDETECTED. (C! ABORT DECISION. 
ID) POSSIBLE LOSS CF CREW/VEHICLE IF FAILURE OCCURS PRIOR TC ET 
SEPARATION. 

DISPOSITION £ RATIONALE (A)OESIGN { 3 ) TEST (C > INSP ECTION ( 0 ) FAILURE HISTQ 
(A) OESI&N FACTR OF SAFETY IS 1.5 MIN. DEVELOPMENT TESTS INCLUDE 'a ELD 
CYCLE LI FE (800 CYCLES ) , FRACTURE MECHANICS, FORGING EVALUATION, AND 
TUBE SWAGING. (8} PROPELLANT ACQUISITION DEVICE COMPONENT St 
SU84SSEMLIES AND TANK ASSY INTEGRITY' VERIFIED BY PERFORMING BUBBLE POI 
TESTS. TANKS SUBJECTED TO PROPELLANT EXPOSUREt 200 EXPULSION CYCLES, 
MINUTES PER AXIS OF 3.9 GRMS RANDOM VT3RATI0.N AND BURST PRESSUR DUPING 
QUAL PROGRAM. (Ci TURNAROUND INSPECTION INCLUDES PERIODIC BUBBLE POINT 
CHECKS OF THE, PAD. AUDIT CONDUCTED IL-1-76 VERIFIED SUPPLIER INSPECTIO 
CONTROL OF MATL IDENTIFICATION PARTS PROTECTION MFG PRCCcSSESt CORROSI 
PROTECTION PROVISIONS, NDE EXA.M OF WELDS AND STORAGE ENVIRONMENTS. " 
( 0} NONE ( NEW DEVELOPMENT ITEM}. 


RY : 


NT 

A? 


■‘I 


S D75 -SH -0 003 



.HARDWARE/SOFTWARE ANALYSIS CHECKLIST 03-2F-1 21 308-1 

SUBSYSTEM , Fwd Reaction Control FMEA HUMBER SD75-SH-.nm .fiA_ 

ITEM Flex Line and Fi tings FAILURE MODE External Leakage 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 

YES 

m 

NO 

□ 

la. 

ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

IF HOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 

*YES 

□ 

NO 

□ 

2. 

USE TO DETECT THE FAILURE? \ • 

ARE THE ANSWERS TO OUESTIONS 1 AND ,1a CONSISTENT WITH THE FMEA .EVALUATION OF 

YES 

no *ao 

□ 

3. 

IN-FLIGHT DETECTABILITY? - 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 

YES 

D 

NO 

0 


(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS 
- FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 

INDUCE ANOTHER FAILURE? • - 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. ' HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 

ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER I OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE. BELOW) 

CHANGE/RETENTIQH RATIONALE SUMMARY 

1.0 NO H/S ISSUES ; 

2. 0 HARDWARE ACCEPTS RISK 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. V42P1115C, 111 6C will give class 2 alarm. 

Gross leak detection applies. 


3. NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE 3ELQW 

4. CD DETECTION DURING CHECKOUT 6 . ' □ RECOMMENDED CHANGES BELOW 


*YES □ NO 0 

*Y£S □ NO 0 
*YES □ NO QlT 

*0 □ *lD 20 

N/A □ YES(3'’0[_J 

YES 0*NO □ 
YES {XJ*N0 □ 


SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


GRBITEk IC2 


SUE SYSTEM :FWD - REACTION CONTROL 
A SSE.M6LY : THRUSTER 
P/N PI tMC271-GC-84. 

P/M VENDOR: 74 71 3-THRU 74717 
CMjANTlTY :?C 

: ONE FUEL AND ONE OXIDIZ. 
: FER THRUSTER 

failure detectable im flight?, yes 

v AN IF OL D PRESSURE 


FMt'A NO 03— ZF -12 130 8-1 KeV: 1 1/10/71 
ABORT: CM 1 . FUNC: 1 

CHIT . HvsU: 1 

MISSIONS: HF VF X FF CF X SM 
PHASEIS): PL X LO X UG X DO X LS X 
NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 2 

REDUNDANCY SCREEN: k- M/A B— N/A C-N/A 

TIME TO EFFECT: 

SECONDS TO DAYS 
REFERENCE DOCUMENTS: 


MJ73— 0CC1—01S 


GROUND TURNAROUND? ...YES 

VISUAL INSPECTION 


S D 7 2 — S h— 0 1 C 5 — 2 
VS70-H21CC1 


PREPARED BY: 
DcS 
REL 


J. TAGGART 
R DIEHL 


APPROVED BY: 

DcS 

REL 


.ITEM: LINE aSSEM. , FLEXIBLE 

. AND FITTINGS. 

.FUNCTION: 

. TO PROVIDE COUPLING BETWEEN PROPELLANT SUBSYSTEM AND FORWARD RCS 
PRIMARY AND VERNIER THRUSTER. 

.failure mode: external leakage - <$) 

. RUPTURE OF LINE DR COUPLING. 

. cause (s ) : 

. FATIGUE, SHOCK, VIBRATION, HANDLING. 

.2 FFfcCT(S) : ON (A) SUBSYSTEM ( B ) INTERFACES (C)MISSIQN {D)CK tW/VcftlCLc* 

. (A) LOSS OF PROPELLANTS TO EXTENT OF LEAK SIZE. (B) INCREASED -UNLC 

. CONTROL S USE OF ALTERNATE THRUSTERS. (C) POTENTIAL MISSION 1 1 KM I N A T i UN 
PPIGR TU PLANNED TIME. (D) NO EFFECT AFTER ASCENT UNLESS LEAK IS 
EXCESSIVE £L RESULTS IN IGNITION WITH REACTANT ( 2ND ORDER PAlLORc) DURING 
A RFLS ABORT THE LOSS UF A MANIFOLD RESULTS IN THE LOSS UP fwO DOWN 
FIRING THRUSTERS WHICH RESULTS IN CRIT 1. DURING ASCENT TnE FAILURE 
CANNOT BE DETECTED AND ISOLATED WHICH RESULTS IN POSSIBLE LOSS OF 
VEHICLE. 

.CtRRECTlNG ACTION: 

. ISOLATE THRUSTER AT MANIFOLD. 

.REM ARKS /HAZARDS.: 

. POTENTIAL HAZARD FROM FREE FUEL IN MODULE. 
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SHUTTLE CRITICAL ITEMS LIST - CPBITcP iOZ 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : THRUSTER 
P/N RI :MC2 71-0084 

P/N VENOORj 7A7 13— THRU 74717 
QUANTITY : 30 


FMEA NO 03-2F -121303-1 REV: 11/10/ 
ASORT : CRIT. FUNC: 1 

CR IT . HDrf : 1 

MISSIONS: HF VF X FF OF X SM 
PHASE ( S J : PL X LO X 00 X CO X LS X 


:ONE FUEL ANO CNE OXIOIZ. 

J PER THRUSTER 

REDUNDANCY SCREEN: 


PREPARED BY: 

DES J. TAGGART 

REL R OIEHL 



ITEM: LIME ASSEM., FLEXI3LE 
AND FITTINGS . 


A-M/A 6-N/A C— '( / 


APPRO j/ED 
SSM 


’K. 

j j j/y 

R 

WPlfcp WITH CHANGES 
See Section 13.0 


FUNCTION: 

TO PROVIDE COUPLING BETWEEN PROPELLANT SUBSYSTEM ANO FORWARD RCS 
PRIMARY AND VERNIER THRUSTER* 

FAILURE HCOE: EXTERNAL LEAKAGE - ( S) 

RUPTURE OF LINE OR COUPLING. 

CAUSE(S): 

FATIGUE, SHOCK , VIBRATION, HANDLING. 

EFFECT! S ) : ON { A } SUBSYSTEM 13 ) INTERFACES { C) M I SS ION .( D J CR EW/VEH ICLE : 

(A) LOSS OF PROPELLANTS TO EXTENT OF LEAK SIZE. 1 51 INCREASED GNSC 
CONTROL S. USE GF ALTERNATE THRUSTERS. { C > POTENTIAL MISSION TERMINATION 
PRIOR TO PLANNED TIME* ( D> NO EFFECT AFTER ASCENT UNLESS LEAK IS 
EXCESSIVE £ RESULTS IN IGNITION WITH REACT ANT (2ND ORDER FAILURE) DU P IN -3 
A RTLS ABORT THE LOSS OF A MANIFOLD RESULTS IN THE LOSS CF TWO DCWN 
FIRING THRUSTERS WHICH RESULTS IN CRIT L. DURING ASCENT THE FAILURE 
CANNOT BE DETECTED ANO ISOLATED WHICH RESULTS IN POSSIBLE LOSS GF 


VEHICLE- - 

.DISPOSITION £ RATIONALE (A)OESIGN (S)TEST (C ) INSPECTION (O)FAILURE H I STORY 

. (A) DESIGN BURST PRESSURE I S UP TO 3 TIMES THE MAX OPER PRESSURE OF 700 

PS 15- PROOF PRESSURE IS UP TO 1.5 TIMES THE MAX OPER PRESSURE. THE 
DESIGN ALLOWS SUFFICIENT MOVEMENT TO PRECLUDE EXCESSIVE STRESSES DURING 
INSTALLATION AND OPERATION. LINES CAN BE ISOLATED AT THE MANIFOLD IN 
CASE OF LEAKAGE. (0) POST INSTALLATION TEST AND OPERATIONAL CHECKOUTS 
WILL VERIFY SYSTEM INTEGRITY. ALL LINES SUBJECTED TO PROOF PRESSURE 
OURING ATP ANO RANDOM VIBRATION AT ANTICIPATED MISSION LEVELS DURING 
QUAL TESTING. LINES ARE ALSO TESTED DURING SYSTEM EVALUATION AT WHITE 
SANDS TEST FACILITY. (Cl SEE FMEA/CIL 102106-1. ID) NO HISTORY GF 
FAILURE IN FLIGHT. (NEW DEVELOPMENT ITEM FOR MANNED FLIGHT APPLICATION. 




9 i034 


S D 7 5 -Si] -0 003 



□ 0 


SUBSYSTEM 


HARDWARE/SOFTWARE ANALYSIS CHECKLIST 
Fwd. Reaction Control FMEA NUMBER 


03— 2F-1 21371-1 
SD75-SH-0016A 


ITEM Injector Plat 


FAILURE MODE Improper Mixture Ratio 


1. DOES- THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSC)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
{EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER GY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/ SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE GFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BPS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

*EXPLANATION REQUIRED (SEE BELOW) 


YES 0 NO Q 
*YES □ no |3 

YES Q *NO □ 
1 YES □ NO (3 
*YE$ □ NO 0 

*YES □ NO [3 
*YES Q NO (xl 

*0 □ *lQ 20 
m DYEsnuoS 


YES □-NO □ 
YES [>NO □ 


CHANGE/RETEHTIOH RATIONALE SUMfV ’ Rf 
NO H/S ISSUES 
HARDWARE ACCEPTS RISK 


3. P NO SOFTWARE DETECTION 

4. P DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COMMENTS : 


1. "Fail Off" in RCS RM if sufficiently blocked. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


OxBITtR 102 


S Ug SYSTEM 

: FWO - REACTION CONTROL 

FMEA NO 03 

-2F -12131 

1-1 REV: 11/ 14/7 

.ASSEMBLY 

: THRUSTER, PRIMARY 

ABORT : ABORT 

CR1T. FuNC: l.R 

. P/N R 1 

: MC4E7-002S 

RTLS 


dk i r . h w * .? 

.P/N VENDOR 

:X3C8 66 

MISSIONS: 

HF VF X 

I-F CF $i'i 

.QUANTITY 

: IF 

PHASE(S) : 

PL LG X 

UO X DO X LS 

• 

: ONE INJECTOR PROVIDED FO 

NUMBER OF 

SUCCESS PAJHS REMAINING 

• 

: R EACH PRIMARY THRUSTER 

AFTER FIRST FAILURE: 

2 


REDUNDANCY SCREEN: 


: Al LUKE DETECTABLE IN FLIGHT?. NO 


GROUND TURNAROUND ? , 


,NO 


PREPARED 

DBS 

REL 


BY : 


W SEARCY 
R DIEHL 


a- f^il 
TIKE TO 
SECONDS 
REFERENC 
MJU70-CC 
S372-SH- 
VS 70-^2 L 


APPROVED LY: 
DES _ 
REL „ 


fc-FA IL 
EFFECT: 


C-FAH 


E DOCUMENTS: 
0 1 —C I A 
IOC— 2 
01 


VALVES AND PRO V 
FOR A hYPlRGULI 
FEET. AO 


I L-t 

c 

Soi 


item: injector, plate 

FUNCT ION: 

TO RECEIVE FUEL AND OXIDIZER FROM ThftUSTER INotT 
DOUdL&T MIXING AT 1.60 OX TO FUEL (WEIGHT) RATIO 
REACTION WHICH PRODUCES S25 POUNDS OF THRUST AT 

control chamber wall cooling. 

FAILURE MODE: FAILS TG DELIVER PROPS ( F ) 

AT PROPER MIXTURE RATIO AND FAILS TG PROVIDE ADcGUAT c. CGOLINo- OF Trtt 
CGM3USTCR WALL. 

CAUSE (S ) : 

CONTAMINATION, E LOCKED ORIFICES. 

SFFECT(S): ON (A) SUBSYSTEM (B ) INTERFACES (OMISSION 


( D ) CR EN/ V En 1C L;: 


THRUSTER IN A 
,» D ) NO EFFECT. 


GIVEN AXIS. 13) GNCC CONTROL SW1 
(E) POSSIBLE LOSS CF VEHICLE IF Fa 
DOWN FIRING THRUSTERS REQUIRED FOR 


PC hi NL> 
I LURE 
ET 


. R 


(A) LOSS OF ONE 
REQUIRED- (C 
OCCURS BEFORE ET SEPARATION 
SEPARATION. 

DIRECTING ACTION: 

SWITCH TO REDUNDANT THRUSTER IN AFFECTED AXIS. ISOLATE MANIFOLD 
CONTAINING FAILED THRUSTER. 

EM ARKS/HAZARDS : 

POSSIBLE LOCAL HOT SPOT R LSUlTING IN COATING Da.MaGE OR COMSuSTUf UuRN 
T HR OUGH . 


ORIGINAL PAGE IS 
OF POOR QUAlm 



SHUTTLE CRITICAL ITEMS LIST - 0R3ITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : THRU5TER, PRIMARY 
P/N RI :MC467-002 8 

P/N VENDOR JX3088 8 
QUANTITY :14 


FMEA NO 03- 2F 
ABORT: ABORT 
RTLS 

MISSIONS: HF 

PHASE { S) : PL 


-121311-1 

CRITc 
CP IT. 
VF X FF 
LC X 00 X 


REV: 11/14/78 
FUNC: 1R 

HDn : 3 

OF , SM 
DO X LS 


:ONE INJECTOR PROVIDED FO 
:R EACH PRIMARY THRUSTER 

REDUNDANCY' SCREEN: 


PREPARED BY: 

DES Vi SEARCY 

REL R DIEHL 


APPROVED BY: 
DES ; /silt (j 



Wrjrfj'* 


ITEM: INJECTOR, PLATE 


A— FA IL 8— FAIL C-FAIL 


APPRO 


SSM 

RE Vj 



INA ¥ ,: j/> 

- 


’ DELETE 

See Section 13.0 


.FUNCTION: 

» TO RECEIVE FUEL AND OXIDIZER FROM THRUSTER INLET VALVES AND PROVIDE 
DOUBLET MIXING AT L.60 OX TO FUEL (WEIGHT) RATIO FOR A HYPERGOLIC 
REACTION WHICH PRODUCES 825 POUNDS OF THRUSJ AT 70,000 FFET. ALSO 
CONTROL CHAMBER WALL COOLING, 

.FAILURE MODE: FAILS TO DELIVER PROPS (F) 

. AT PROPER MIXTURE RATIO AND FAILS TO PROVIDE ADEQUATE COOLING OF THE 
COMBUSTOR WALL. 

.CAUSEf S) : 

. CONTAMINATION, BLOCKED ORIFICES. 

. EFFECT £ S ) : ON £ A) SUBSYSTEM IB ) INTERFACES (OMISSION (D) CREW/ VEHICLE: 

• - (A) LOSS OF ONE THRUSTER IN A GIVEN AXIS. (B) GNGC CONTROL SWITCHING 
REQUIRED. (C*D) NO EFFECT. (E) POSSIBLE LCSS OF VEHICLE I.F FAILURE 

OCCURS BEFORE ET SEPARATION. DOWN FIRING THRUSTERS REQUIRED FOP £T 
SEPARATION. 

.DISPOSITION £ RATIONALE { A ) DESIGN £ B) TEST (C ) I NS PECTION (D)FAILURE HISTORY: 

, (A) 75 MICRON FILTER PROVIDED UPSTREAM TO PPsECLUOE CONTAMINATION 

FUEL HAS BEEN FILTERED TO 25 MICRONS PRIOR TO ENTERING TANK. ACOUSTIC 
CAVITIES PRECLUDE OCCURRENCE OF COMBUSTION INSTABILITY IN THE EVENT OF 
POOR DISTRIBUTION. { B ) TOTAL FLOW £ FLOW DISTRIBUTION CHECKED BY WATER 
FLOW TEST AND VERIFIED BY BURN TEST DURING THRUSTER ACCEPTANCE TESTS. 

(C) FIBER OPTICS USED TO VISUALLY INSPECT INJECTOR HOLES FOR EVIDENCE 
OF BURRS AND CONTAMINATION PRIOR TO ASSEMBLY AUDIT CONDUCTED ON 9-2-76 
VERIFIED THAT SUPPLIER INSPECTION CONTROLS RAW MATL VERIFICATION, PARTS 
PROTECTION, HFG FAB AND ASSY OPERATIONS, CONTAMINATION CONTRL, CORROSION 
CONTROL PROVISIONS AND STORAGE ENVIRONMENTS. TURN AROUND INSPECTION TO 
INCLUDE USE OF OPTICS INSPECTION WHERE ACCESSABLE FOR EVIDENCE OF DAMAGE 
G SYSTEM FLUID SAMPLINGS FOR DETECTION OF CONTAMINATION. (D) NO 
FAILURES OF THIS TYPE ON APOLLO. 
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subsystem Fwd, Reaction Control 
ITEM Thrust Chamber 


FMEA NUMBER _ 
FAILURE MODE 


03-2F-121312-1 
SD75-SH-001 6A 


I I. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES 17 } NO □ 

• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *YES □ NO H 

USE TO DETECT THE FAILURE? ^ 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES fX] *NO [H 

IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES Q MO (71 

i (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING. ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR ThE SOFTWARE TO COMPENSATE FOR THIS *YES H NO |X] 

I FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 

1 PROGRAM LOGIC)? 

| 4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR *YES □ NO [Xl 

i INDUCE ANOTHER FAILURE? 

‘ 5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES □ NO [xj 

OTHER FUNCTIONS? 

i 6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW *0 H *lQ 20 

i ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

17. IF CREW ACTIO!) IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A GYEsEXluon 

I TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

| 8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

i A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES 0 *N0 □ 

3. 'WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? YES 0*NO 0 | 

*EXPLANATION REQUIRED (SEE P-ELOW) j 


. CHANGE/RETENTION RATIONALE SUMMARY 

J !.□ NO H/S ISSUES 3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

l 2. [J HARDWARE ACCEPTS RISK 4. p DETECTION DURING CHECKOUT 6. □ RECOMMENDED CHANGES BELOW 


GO FMEA CHANGE RECOMMENDED 



FMEA change - Measurement numbers V42X1541X through V42X1556X should be listed as V42P1541A 
through V42P1556A'. ' - 

1, RM uses thurst chamber pressure transducers to sense the low pressure in question and 
give a "fail off" in RCS RM. 


[ 7. The thrust chamber measurements are downlinked, 

( 


I 
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•SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


OSSITfcR 1C 2 


$ 

.A 

□ 

• * 

P 

• * 

.0 


l*E SYSTEM : FWD - REACTION CONTROL 
SSEMELY : THRUST ER , PRIMARY 
/N SI : MCA67— C02S 

/H VENDOR: X3 09 58 
UANTITY :iA 

:ONE PER THRUSTER 


FMEA NO C3-2F - 
ABORT: 


.FAILURE DETECTABLE IN FLIGHT?. 
.INCIPIENT BURN-THRU DETE CTORS 
. V A2X155 6X PC TRANS DUCER 

S GROSS CW 

ROUND TURNAROUND ? . .YES 

IS UAL EXAMINATION 


MISSIONS: HF 

PhASt(S): PL 

NUMBER OF SUCCE 
AFTER FIRST FAI 
REDUNDANCY SCREEN: 

YES 

V42X1541X THROUGH 
IF LEAKAGE 


121312-1 R EV: 11/10/7 
CRIT. FUiMC: 

CRIT. hWD: 

VF X FF OF SM 
LO X 00 X DO X LS 
SS PATnS REMAINING 
LURE: 

A-M/A 6-N/A 
TIME TO EFFECT: 

SECONDS 

REFERENCE CuCUMtN f S: 
MJ070 — GC01 — C-l B 
SDT2-SH-0 103—2 
VS70— A-2IC01 


X 

i 


c 

c-n/a 


PREPARED BY: 
DES 
RE L 


APPROVED BY: 

W SEARCY DES 

R DIEHL REL 


.item: thrust chamber 

. FROM INJECTOR TO NOZZLE EXTENSION (COATED C0LUMB1UM). 

.FUNCTION: 

. TO CONTAIN HYPERGOlIC reaction of propellants and to expand combustion 
PRODUCTS TO PRODUCE ThRUST THROUGH NOZZLE EXTENSION TU PROVIDE IMPULSE 
TO VEHICLE . 

.FAILURE MODE: OV ERHfc AT /3URNTHK0UGH (S3 

. DUE TO INADEQUATE COOLING. 

.C AUSE (S ) : 

. BLOCKED (CONTAMINATED) COOLANT (FUEL) INJECTOR HOlES, POOR BOUNDARY 
FLOW CONDITIONS COMBUSTION INSTABILITY, SEPARATION OK F KACTUR t UF 
PROTECTIVE DISLICIDE COATING. 

• EFFECT(S): ON (A) SUBSYSTEM (6 } INTERFACES. (OMISSION (D )CR EK/VchIC LE : 

. (A) LOSS OF A PRIMARY THRUSTER IN A GIVEN AXIS. (8) INCREASED bNCC 

. CONTROL AUTHORITY REQUIRED. (C ) POTENTIAL LOSS OF MISSION aoORT 

DECISION. (D) POTENTIAL LOSS OF VEHICLE. CRITICAL DAMAG-i COULD OCCUR 
BEFORE FAILURE IS DETECTED. 

.CORRECTING ACTION: 

. ISOLATE THRUSTER AND UTILIZE REDUNDANT ThRUSTER IN AFFECTED AXIS. 

(AUTOMATIC FUNG TION ] . 

.remarks/hazards: 

. POTENTIAL HAZARD FROM ESCAPING HOT GASES IN MODULE AND POTENTIAL 
PROPAGATION OF FAILURE IF NOT ISOLATED IN A TIMELY MANNER. 
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SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :F WD - REACT I ON CONTROL 
ASSEMBLY : THRUSTER, PRIMARY 
P/N R I :MCA67-0O23 
P/N VENDOR; X3095S 
QUANTITY 514 

5 ONE PER THRUSTER 


FME A NO Q3—2F -121312-1 REV:Ll/10/7e 


ABORT: 



CRIT. 

FUNC: 1 




CRITa 

HOW : , l 

MISSIONS: 

HF 

VF X 

FF 

OF SM 

PHASE(S) : 

PL 

LO X 

CO X 

DO X LS 


PREPARED BY s 

DES - to SEARCY 

REL R DIEHL 


REDUNDANCY SCREEN: A~N/ A B'-N/A C-N/A 



a ITEM: THRUST CHAMBER See Section 13.0 

. FROM INJECTOR TO NOZZLE EXTENSION (COATED COLUMBIUM) - 

.FUNCTION: 

. TO CONTAIN HYPERBOLIC REACTION OF PROPELLANTS AND TO EXPAND COMBUSTION 
PRODUCTS TO PRODUCE THRUST THROUGH NOZZLE EXTENSION TO PROVIDE IMPULSE 
TO VEHICLE « 

• FAILURE MODE: OVERHEAT /3URNTHP.CUGH (S) 

. OUE TO INADEQUATE COOLING. 
aCAUSEC S ): 


BLOCKED (CONTAMINATED) COOLANT (FUEL) INJECTOR HOLES, POCP- BOUNDARY 


FLOW CONDITIONS COMBUSTION INSTABILITY, SEPARATION OR FRACTURE OF 
PROTECTIVE DISL TC IDE COATING. 

• EFFECT ( S ) : ON (A) SUBSYSTEM { B ) I NTERF ACES (OMISSION ( D) CREW/VEH IC LE: 

a (A) LOSS 3F A PRIMARY THRUSTER IN A GIVEN AXIS. (B) INCREASED GNEC 
CONTROL AUTHORITY REQUIRED. (C) POTENTIAL LOSS OF MISSION ABORT 
DECISION. (D) POTENTIAL LOSS OF VEHICLE. CRITICAL DAMAGE COULD OCCUR 
BEFORE FAILURE IS DETECTED® 

•DISPOSITION £ RATIONALE t A) DESIGN (B)TEST (C ) INSPECTION (D)FAILURE HISTORY: 

» INTERKETAL IC DIFFUSSIDN LAYER FORMS AN INTEGRAL BOND BETWEEN THE 

DIS IL IC IDE COATING AND THE PARENT COLUMBIUM MATERIAL AND TENDS TO RESIST 
SHOCK LOADING® 75 MICRON FILTER IN VALVE INLET UPSTREAM OF INJECTOR 
HOLES WILL PRECLUDE ENTRY OF CONTAMINANTS. ACOSTIC CAVITIES DAMPEN THE 
FREQUENCIES THAT EXCITE INSTABILITY a (B) SIMULATED THRUSTERS AND 
THRUSTER NO® 5 VIBRATION TESTS HAVE DEMONSTRATED THE ABILITY OF THE 
DISILICIDE COATING TO WITHSTAND 2.0 G SQUARED PER HERTZ RANDOM VIBRATION 
STRESSES. THRUSTER IS SUBJECTED TO RANDOM VIBRATION AT ANTICIPATED 
MISSION LEVELS DURING THE QUAL® PROGRAM. IC) COATING THICKNESS AND 
QUALITY WILL BE CONTROLLED BY SUPPLIER INSPECTION PROCEDURE MPS 525 
WHICH REQUIRES CERTIFICATION THAT COATING PRGCESS CONFORMS TO THE 
PROCESS SPEC, VISUAL INSPECTION, VERIFICATION OF COATING THICKNESS AND A 
SMOKE TEST THAT VERIFIES COAT INTEGRITY. TURNAROUND INSPECTION TO 
INCLUDE VISUAL INSPECTION FOR EVIDENCE OF BURN THRU. (D) NO FLIGHT 
FAILURE HISTORY® (2) DEVELOPMENT FAILURES HAVE OCCURRED ON SHUTTLE 
PROGRAM® ONE FAILURE DUE TO DOUBLET DESIGN WHICH HAS BEEN CHANGED AND 
ONE FAILURE DUE TO THIN COAT OF DISILICIDE COATING. THIN COAT STILL 
WITHSTOOD MORE FIRING TIME THAN IS NORMALLY SEEN BY THE THRUSTER IN 
NORMAL 100 MISSION LIFE. 
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• nrtKUWrtKty^TFTWWETTWWL Y S i S tHttfsLl b ! 03^2 MTT313 -1 
SUBSYSTEM Fwd Reaction Control FMEA NUMBER < SD75-SH-0016A 

ITEM Nozzle Extension - FAILURE MODE Burn-Thru 


1. ' DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY YES □ NO fXI 

•• ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD *Y£S □ NO 

USE TO DETECT THE FAILURE? ^ 

2. ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF YES (Ti *NO fl 

IN-FLIGHT DETECTABILITY? 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE YES H NO fiT] 

(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? • 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS *YES fX I NO fl 

FAILURE MODE- (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? ■ 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR - *Y£S fl HO R 

„ INDUCE ANOTHER FAILURE? ■ . . . ' , . 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT *YES H NO fX[ 

OTHER FUNCTIONS? ' 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW ' *0 H 20 

ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. ~ 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED N/A FjYESfKlUOn 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: . 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? YES 0*NO □ 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? - YES Q*NO Q 

♦EXPLANATION REQUIRED (SEE BELOW) 

CHANGE/RETENTION RATIONALE SUMMARY ‘ . . 

1.0 NO H/S ISSUES' . _ . . 3.P NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELCV 

2. [x} HARDWARE ACCEPTS RISK '4. □ DETECTION DURING CHECKOUT 6. D RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 



3a. Instrumentation is available for software redesign. 
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SHUTTLE FAILURE MODE AMD EFFECTS ANALYSIS - CRBITER IC2 


SUBSYSTEM : FWD - REACTION CONTROL 
ASSEMBLY : THRUSTER, PRIMARY 
P/N R I t MC467— GC28 

P/\ VENDOR :X3CS?2 
QUANTITY : 14 

:GNE PER THRUSTER 


FMEA NO 03-2 F 
ABORT l ABORT, 
RTlS 

MISSIONS: HF 

PHASECS): PL 


-121213-1 

CRIT. 

CRIT. 


FAILURE DETECTABL] 


FLIGHT?. 


GROUND TURNAROUND?...' YES 

VISUAL INSPECTION 


MISSIONS: HF VF X FF OF SM 

PHASE(S): PL LO X 00 X DO X LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: i 

REDUNDANCY SCREEN: A-N/A B-N/A C-f 

TIME TO EFFECT: 
IMMEDIATE 

REFERENCE DOCUMENTS*. 
MJ070-GCGI-01L 
> SD72-SH-0103-2 

VS70-42 lCCi 


PREPARED BY: APPROVED BY: 

DES W SEARCY DES _ 

REL R DIEHL RtL 


ITEM: NOZZLE EXTENSION, 

COATED CGLUMBIUM (WITH INSULATION BLANKET). 

FUNCTION: 

TO PROVIDE FOR EXPANSION OF COMBUSTION GASES TO M>1 SUCH THAI THE 
REQUIRED THRUST IS PRODUCED. 

FAILURE MODE: STRUCTURAL FAILURE, IS) 

BURN-THRU. 

CAUSE (S) : 

HIGH TEMPERATURE IN LOCAL SPOT DUE TO FILM COOLING FA! L UP,t < CUN f AM i NAT tO 
INJECTOR COOLANT HOLES) VIBRATION, SHOCK, WE LO OR MATERIAL UlFElT. 
EFFECT ( S ) : ON (A)SUdSYSTEM ( B ) INTER FACES (OMISSION (0 JCRE-W/ VEhiC Li: 

(A) loss of a thruster in a given axis. (B) increased gnlc control 

AUTHORITY REQUIRED. (C) NO EFFECT. (D) NO EFFECT UNLESS FAILuKL 
PROPAGATES— CRIT 1 FOR RTLS ABORT IF THRUSTER IS ISOLATES) AT MaNIFUlO 
LEVEL 

.CORRECTING ACTION: 

. ISOLATE THRUSTER AT INLET VALVE OR MANIFOLD AND UTILIZE ALTERNATE lN 
AFFECTED AXIS.. 

.REMARKS/HAZARDS: 

. POTENTIAL FOR FAILURE PROROGATION TO ADJACENT THRUSTERS IF INSULATION 
BLANKET DOES NOT PRECLUDE GaS/LIGUIO ESCAPING. REFERENCE rtAZAKu 
1 YX X— 03 02— C 1 • 
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SHUTTLE CRITICAL ITEMS LIST - ORB I TER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : THRUSTER ,PR IMARY 
P/N RI :HC467— 0028 
P/N VENDOR: X30872 
QUANTITY : 14 

: ONE PER THRUSTER 


FMEA NO 03-2F 
ABORT: ABORT, 
RTLS 

MISSIONS: HF 

PHASE(S): PL 


— 12 13 L 3—1 

CR IT, 
CR IT . 
VF X FF 
LO X 00 X 


REV: 11/14/ 

FUNCi 1 
HOW: L 

OF SM 
DO X LS 


REDUNDANCY SCREEN: A-N/A 8-N/A C-N/ 


PREPARED 

DES 

REL 


BY: 


W SEARCY 
R DIEHL 



INSULATION BLANKET) 


ITEM: NOZZLE EXTENSION, 

COATED COLUMOIUM (WITH 
FUNCTION: 

TO PRQy IDE FOR EXPANSION OF COMBUSTION GASES TO H>1 SUCH ’HAT THE 
REQUIRED THRUST IS PRODUCED. 

FAILURE MODE: STRUCTURAL F4ILUPE, (Si 

BURN-THRU. 

CAUSE(S): 

HIGH TEMPERATURE IN LOCAL SPOT DUE TO FILM COOLING FA [LURE (CONTAMINATED 
INJECTOR COOLANT HOLES) V laRATlGN, SHOCK, WELD OR MATERIAL DEFECT. 
EFFECT(S): ON ( A) SUBSYSTEM { B 1 INTERFACES (OMISSION (D) CREW /VEHICLE: 

(A) L05S Or A THRUSTER IN A GIVEN AXIS. (B) INCREASED GriCC CONTROL 
AUTHORIP/ REQUIRED. t C ) NO EFFECT. ( D ) NO EFFECT UNLESS FAILURE 
PROP AGATES-CR IT 1 FOR RTLS ABORT IF THRUSTER IS ISOLATED AT MANIFOLD 


LEVEL 

.DISPOSITION £ RATIONALE ( A ) DE SIGN ( B ) TEST (C ) IMSP EC T ION (D)FAILURE HISTORY 

. (A) INTERNET ALLIC DIFFUSION LAYER FORMS INTEGRAL 30ND TO RESIST SHOCK. 

COATING PROCESS CONTROLLED. INJECTOR DESIGN INCORPORATES ACOUSTIC 
CAVITIES WHICH REDUCED POSSIBILITY OF INSTABILITY. DUCTILE PROPERTIES 
OF C— 103 COLUMBIUM PRECLUDES FR A GHENTA TI ON OR CATASTROPHIC MODE OF 
FAILURE. (B) DEV VIBRATION TESTS DEMONSTRATE ABILITY OF DISILICIOE 
COATING TO WITHSTAND 2.0 G SQUARED/HZ RANDOM VIBRATION. TS?4P TESTS 
DEMONSTRATE EXCELLENT DUCTI9LE/SRITTLE QUALIFIES FOR COATED C-I03 
COLUHBIUM. ICJ TURNAROUND INSPECTION TO INCLUDE VISUAL INSPECTION FOR 
EVIDENCE OF BURN THROUGH £ WHERE- ACCESSA8LE, USE OF FIBER-OPTICS NOE TO 
INSPECT FOR SURFACE FLAWS. SUPPLIER INSPECTION INCLUDES FLOU°E SCEN T 
PENETRATE INSPECTION PRIOR TO COATING TO DETECT SURFACE DEFECTS AMD 
X-RAY INSPECTION IS REQUIRED FOR DETECTION OF INTERNAL DEFECTS. AUDIT 
CONDUCTED F-2-T6 VERIFIED THAT SUPPLIER INSPECTION CONTROLS 0 AW MAT'L, 
IDENTIFICATION OF PARTS,. MPG PROCESSES ? CORROSION PROTECTION, 
CONTAMINATION CONTROL AND ENVIRONMENTS. (D) 4 OCCURANCES OF BELL 
FAILURES CAUSED BY BRITTLE HETROGENEOUS GRAIN STRUCTURE CU E TO VI3RATI0M 
FATIGUE_0N _APQLLO LM/SM RCS ENGINES- 
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iinr\uwATqL7 _ ^/rrisTO^tr _ RrfHL i ju uricur\Li o I U3-2F-] 31 3] 0-1 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-SH-001 6A 

ITEM Vernier Thruster failure mode Loss of Output 


£ 

6 


1. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la, IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING. ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST. FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AMD THE REQUIRED CORRECTIVE ACTION? 

8. IF THE ANSWER TO EITHER 1 OR 3 IS YES; 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/V-HICLE? 

♦EXPLANATION REQUIRED (SEE BELOW) 


YES 

0 

NO 

□ 

*Y£S 

□ 

NO 

P 

YES 

0 

*N0 

□ 

YES 

0 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

♦YES 

□ 

NO 

□ 

*0p 

! *i 

0 

zD 

i/a □yesS;r 

:>□ 

YES 

0 

*!!0 

□ 

YES 

0 

*N0 

□ 


CHANGE/RETENTION RATIONALE SUMMARY 

!.□ NO H/S ISSUES 

2. [3 HARDWARE ACCEPTS RISK 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ACCEPTANCE RATIONALE BELOW 

6. □ RECOMMENDED CHANGES BELOW 


EXPLANATION/COMMENTS : 


□ FHEA CHANGE RECOMMENDED 


1. RM uses thrust chamber pressure transducers to sense the low pressure in question and 
ai3/.e_£Lj l „fail.o±PJLn RCS .RM _ . _ ... 

3. The GN&C RM program will automatically deselect a failed jet under certain conditions 
(provided it is not inhibited). See FSSR "10" paragraph 4. 1.7. 1.6. 3 for the conditions. 

' 6. This failure can be tolerated since it is criticality 2. 

f 

\ 7. The thrust chamber pressures can be downlinkedt 
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SHUTTLE FAILURE MOQc AMD EFFECTS ANALYSIS - ORBITER 102 


SUBSYSTEM 
ASSEMBLY 
P/N R 1 
P/M VEMDCF 
QUANTITY 


FAILURE D 

thruster 


t FWD - 
: THRUST 
:MCa67- 

. « 

: 2 

:ONE Rt 
: ( DOWN 

ETtCTAEL 

CHAMBER 


REACTION 
ER ASSY 
C 029 


CONTROL 


FMEA MO 
ABORT: 


03-2F —13131 0—1 

CRIT. 
CA I T . 


Kti/: il/1^/7 
FUNC : 2 


h.WJ l 


CD PER 
FIRING) 


E IN FLIGHT?. YES 
PRESS V42P-1555A, 


MISSIONS: HF VF X FF 

PHASE(S): PL LU CO 

NUMBER OF SUCCESS PATHS 
AFTER FIRST FAILURE: 
REDUNDANCY SCREEN: A-N/A 

TIME TO 


OF EM 
X 00 L$ 
REM A IN I MG 


1556 A 


b — N / A C- 

LFFECT: 
IMMEDIATE 

REFERENCE DOCUMENTS: 


V 

N/A 


GROUND TURNAROUND? YES 

POSITION INDICATION 


MJ 070— GOG 1—0 1 S 
SQ72-SH— OiCS— 2 
VS70-4210CI 


PREPARED EY: 
DES 
REL 


J TAGC-ART 
R DIEHL 


approved 

DES 

REL 


SY: 


.ITEM: THRUSTER, VERNIEP. 

. (EM 157/l5fc ) . 

.FUNCTION: 

. TO PROVIDE THRUST FOR LOW LEVEL ACCELERATIONS ASSOCIATED WITH POINTING 
MANEUVERS AND THREE AXIS ATTITUDE HOLD. THRUSTER FIRES IN +2 DIRECTION 
FOR + PITCH AND -Z ACCELERATION. INCLUDES INL&T VALVE, INJECTOR, 

TnRUST CHAMBER, NOZZLE EXTENSION, HEATER* INSULATION, PRtSS/TEMP 
XSDUCERS. 

.failure mode: loss of output if> 

. INLET VALVES/ BLOCKED INJECTOR/STAND-OFF »S. 

.CAUSE(S): 

. CONTAMINATION, PIECE PART STRUCTURAL FAILURE, IMPROPER SOLENOID 
ACTUATION, VIBRATION 

.EFFECTIS): OH (A)SUBSYSTEM ( B ) INTERFACE S (C)MISSION (OCfitW/VEhlCLfc: 

(A)' LOSS OF VERNIER FUNCTION. (B) NO EFFECT. (C) POTENTIAL EaklT 

. MISSION TERMINATION. LOSS GF TIGHT DEADBAND ATTITUDE CONTROL. (0) 

NO EFFECT. 

.CORRECTING ACTION: 

. UTILIZE LARGE THRUSTERS FOR ATTITUDE CONTROL IN AFFECTED AXIS 
(INCREASED PROPELLANT QUANTITY DEPLETION) 

.REMARKS/HAZARDS : 

. POTENTIAL HAZARD IF FAILURE OCCURS CURING CRITICAL MANEUVERS - TIME 
CRITICAL. NO REDUNDANCY IS PROVIDED FOR THIS COMPONENT. 
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SHUTTLE CRITICAL ITEMS LIST 


OP B ITER 102 


SUBSYSTEM 

:FWO - REACTION CONTROL 

FMEA NO 03-2F 

-131310 

■» 

*“ i 

P-EV: 11/14/76 

ASSEMBLY 

: THRUSTER ASSY 

ABORT: 


CP- IT. 

FUNC: 

2 

P/N R I 

:MC 467-0029 

. 


CR IT. 

HDW: 

2 

P/N VENDOR 

• 

MISSIONS: HF 

VF X 

FF 

OF SM 


QUANTITY 

:2 

: ONE REQ 8 D PER SIDE 
: { DOWN FIRING) 

PHASEJS): PL 

LO 

GO X 

DO LS 



PREPARED BY: 

DES J TAGGART 

REL R DIEHL 


REDUNDANCY SCREEN: 

APPROVED-' BY: / 

DES „ 

REL 


A-N/A 3-N/A 


C-N/A 


APPROVED 8k/ INAS a-/: , 
SSN 

RE^L/f |L 


. ITEM : THRUSTER, VERNIER 

. (EN 157/158 ) o 

.FUNCTION: 

. TO PROVIDE THRUST FOR LOW LEVEL ACCELERATIONS ASSOCIATED WITH POINTING 
MANEUVERS AND THREE AXIS ATTITUDE HOLD. THRUSTEP FIRES IN +Z DIRECTION 
FDR -fr PITCH AND -Z ACCELERATION. INCLUDES INLET VALVE, INJECTOR, 

THRUST CHAMBER, NO'ZZLE EXTENSION, HEATER, INSULATION, PRESS/TEMP 
XSDUCERSc 

.FAILURE MODE: LOSS OF OUTPUT (F) 

. INLET V ALVES /BLOCK. ED IN JECTOR/STAND— OFF* S. 

.CAUSE! S J : 

. CONTAMINATION, PIECE PART STRUCTURAL FAILURE, IMPROPER SCLENCID 
ACTUATION, VIBRATION 

- EFFECT! S): ON { A) SUBSYSTEM !B 3 INTERFACES {OMISSION (D5 CREW/ VEHICLE: 

. ! AI LOSS OF VERNIER FUNCTION. t 9 } NO EFFECT. { C J POTENTIAL EARLY 

MISSION TERMINATION. LGSS OF TIGHT DEADBAND ATTITUDE CONTROL. (D) 

NO EFFECT. 

.DISPOSITION & RATIONALE { A } DESIGN ( B3 TEST !C) INSPECTION (D)FAILURE HISTORY: 

» (A) VALVE INCORPORATES A 25 MICRON FILTER TO PRECLUDE CONTAMINATION. 

VALVE HAS BEEN DESIGNED TO PRECLUDE SELF GENERATED CONTAMINATES. 

SPECIAL EMPHASIS PLACED ON SOLENOID AND HIRING TO PRECLUDE SHORTS. !BJ 
PRE/POST FLIGHT CHECKOUT AND VALVE SIGNATURE TESTS WHEN MODULE REMOVED. 
VALVE SUB J EC i ED TO RANDOM VIBRATION AT ANTICIPATED MISSION LEVELS DURING 
DUAL PROGRAM. LENGTH OF TIME FOR VIBRATION TO EQUAL 100 MISSION L-IFE 
EXPECTANCY. { C3 AUDIT CONDUCTED 9-2-76 VERIFIED THAT SUPPLIER 
INSPECTION CONTROLS RAH MAT * L, IDENTIFICATION OF PARTS, MFG PROCESSES, 
CORROSION PROTECTION, CONTAMINATION CONTROL, AND ELECTRICAL 
TERMINATIONS. TURNAROUND INSPECTION INCLUDES MONITORING FUNCTIONAL TEST 
DURING PRESSURI ZATION CYCLE FOR EVIDENCE OF ERRATIC OPERATION. { D ) NO 
FAILURE HISTORY APPLICABLE TO THIS FAILURE MODE. 



* • If \l W H/Irwcyo V Jl~l TTTtTvC 

SUBSYSTEM Fwd Reaction Control 

ITEM Vernier Thruster ; 


” IWfc » 1 J w •‘.■okcxtjt n(J3^2F^T31 31 0-3 
FMEA flUMBER .Sj375=S.H=QQ16A_ 

FAILURE MODE Erratic Operation 


1. 

DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
ANNUNCIATE OR TAKE ACTION IN RESPONSE)?- 

YES 

□ NO 

© 

la. 

IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

*YE$ 

□ NO 

p 

2. 

ARE THE ANSWERS TO OUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? 

YES 

□ *NO 

□ 

3. 

DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 
(EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

YES 

0 NO 

□ 

3a. 

IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 
FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 
PROGRAM LOGIC)? 

*YES 

□ NO 

□ 

4. 

AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? ' • . 

*YE$ 

□ NO 

[Xj 

5. 

CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
OTHER FUNCTIONS? 

*YES 

□ NO 

m 

6. 

HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

X 

r— 

M 

□ 

O 

* 

20 

7. 

IF CREW ACT I Oil IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

N/A □yESBnoQ 

8. 

IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

YES 

□ *KO 

□ 


B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

YES 

0*NO 

□ 


♦EXPLANATION REQUIRED (SEk BELOW) 


CHANGE/RETENTION RATIONALE SUMMARY 

1. Q NO H/S ISSUES • 3. Q NO SOFTWARE DETECTION 5. □ ACCEPTANCE RATIONALE BELOW 

2. (3TJ HARDWARE ACCEPTS RISK 4- □ DETECTION DURING CHECKOUT 6. Q RECOfIMENDED CHANGES 3EL0V/ 


No In-Flight Detectability 

Sfmea change recommended 


EXPLANATION/COMMEHTS : 


1 . May not be detected 


j 

i 

unless 3 consecutive low pressures. 
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SHUTTLE FAILURE MODE AND EFFECTS ANALYSIS 


ORB ITER 102 


SUBSYSTEM : FWb - REACTION CONTROL 
ASSEMBLY : THRUSTER ASSY 
P/N R I :MC4fc7~0C29 

P/N VENDOR: 

QUANTITY : 2 • 

: ONE REQ'O PER SIDE 
: ( DOWN FIRING} 


FMEA NO 03- 2 F -13131 C-3 REV:ii/iC/7 

ABORT: CR1T. FUNC: 2 

CR I T » FWu i 2 


MISSIONS: HF VF X FF OF SM 

PHASE(S); PL LO 00 X DO LS 

NUMBER OF SUCCESS PATHS REMAINING 
AFTER FIRST FAILURE: 0 

REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


failure detectable in flight?, yes time to effect: 

THRUSTER CHAMBER PRESS. INDICATION V42P-1555A IMMEDIATE 


1 55fcA 


REFERENCE DOCUMENTS: 


MJ 070-000 1-C1L-. 


G RC UN D TU RN A ROUND ? 


NO 


SO iZ — Bh— 0103— 2 
VS70-421CC1 


PREPARED BY: 
DES 
REL 


j TAGGART 
R DIEHL 


APPROVED BY: 

DCS 

REL 


.item: thruster, vernier 

. ( EN 1 57/15 S } • 

.FUNCTION: 

. TO PROVIDE THRUST FOR LOW LEVEL ACCELERATIONS ASSOCIATED WITH POINTING 

maneuvers and three axis attitudl hold, thruster fires in +2 direction 

a OR + PITCH AND -Z ACCELERATION. INCLUDES INlET VALVE , INJECTOR, 

THRUST CHAMBER, NOZZLE EXTENSION , HEATER, INSULATION, PRESS/TEMP 
X SO UC ER S . 

.FAILURE MODE: ERRATIC OPERATION (F) 

. LOW/HIGH THRUST OK INTERMITTENT OPERATION 
.CAUSE (S ): 

. CONTAMINATION, IMPROPER SOLENOID ACTUATION. 

.EFFECT ( S ) : ON (A) SUBSYSTEM (B ) INTERFACES (OMISSION (0 )CR£w/ VEHICLE : 

. (A) LOSS OF VERNIER CONTROL E) INTERFACE SWITCHING OF POWER AND 

. GNSC CONTROL TO LARGE THRUSTERS. (C) POSSIBLE EARLY MISSION TERMINATION 
BOTH VEIN I ER THRUSTERS WOULD HAVE TO BE ISOLATED SUCH THAT TIGHT DEADBAND 
ATTITUDE CONTROL wOULD BE LOST. (D) NONE. 

.CORRECTING ACTION: 

. SHUT DOWN/ ISO LATE FAILED THRUSTER AND UTILIZE LARGE THRUSTER IN 
AFFECTED AXIS 
.REMaRKS/HAZARUS: 

. POTENTIAL HAZARD FROM COLLISION. NO REDUNDANCY IS PROVIDED FDR THIS 
COMPONENT. 
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SHUTTLE CRITICAL ITEMS LIST - CRB ITER 102 


SUBSYSTEM :FVD - REACTION 
ASSEMBLY : THRUSTER ASSY 
P/N R[ IMCA67-0029 

,P/N VENOOR: 

QUANTITY : 2 

: ONE REQ'O PER 
KDGVrN FIRING) 


CDNTPGL FMEA NO 03-2F 
ABORT: 

MISSIONS: HP 

PHASE I S) : PL 

IDE 

REDUNDANCY SCREEN 


131310-3 R EV: I L/10 / 
CRIT. FUNC: 2 

CP IT . HOW : 2 

VF X FF OF SM 

LQ OO X 00 LS 


A-N/A B-N/A C-N/ 


PREPARED BY: 

DES J TAGGART 

REL R DIEHL 


APPROVED" BY: 

DES 

REL f 



.ITEM: THRUSTER, VERNIER 

• CEN 157/158) . 

•FUNCTION: 

• TO PROVIDE THRUST PGR LOW LEVEL ACCELERATIONS ASSOCIATED V ITH POINTING 
MANEUVERS AND THREE AXIS ATTITUDE HOLD. THRUSTER FIRES IN ±Z DIRECTION 
FOR PITCH AND ~l ACCELERATION-, INCLUDES INLET VALVE, INJECTOR, 

•THRUST CHAMBER, NOZZLE EXTENSION, HEATER, INSULATION, PRESS/TSMP 
XSOUCERS. 

•FAILURE MODE: ERRATIC OPERATION (F) 

o LOW/HIGH THRUST OR INTERMITTENT OPERATION 
.CAUSE! S ) : 

. CONTAMINATION, IMPROPER SOLENOID ACTUATION, 

• EFFECT! SI: ON (A) SUBSYSTEM ( B ) INTERFACES {OMISSION { Q ) CR EV/ VEH ICLE : 

. (A) LOSS OF VERNIER CONTROL 3) INTERFACE SWITCHING OF POWER AND 

GNEC CONTROL TO LARGE THRUSTERS. { C ) POSSIBLE EARLY MISSION TERMINATION 
BOTH VENIER THRUSTERS WOULD HAVE. TO BE ISOLATED SUCH THAT TIGHT DEADBAND 
ATTITUDE CONTROL WOULD BE LOST. (D) NONE. 

•DISPOSITION £ RATIONALE (AJOESIGN (B)TEST IC) INSPECT ION (D) FAILURE HISTORY: 

• {A* VALVE INCORPORATES A 75 MICRON FILTER TO PRECLUDE CONTAMINATION. 

VALVE HAS BEEN DESIGNED TO PRECLUDE SELF GENERATED CONTAMINATES. 

SPECIAL EMPHASIS PLACED ON SOLENOID AND WIRING TO PRECLUDE SHORTS. (B) 
PRE/POST FLIGHT CHECKOUT ANO VALVE SIGNATURES TESTS WHEN MODULE REMOVED . 
VALVE SUBJECTED TO RANDOM VIBRATION AT ANTICIPATED MISSION LEVELS DUPING 
QUAL PROGRAM. LENGTH OF TIME FOR VIBRATION TO EQUAL 100 MISSION LIFE 
EXPECTANCY. IC) AUDIT CONDUCTED 9-2-7S VERIFIED THAT SUPPLIER 
INSPECTION CONTROLS RAW MAT ’L, IDENTIFICATION OF PARTS, MFG PROCESSES, 
CORROSION PROTECTION* CONTAMINATION CONTROL, ANO ELECTRICAL 
TERMINATIONS. TURNAROUND INSPECTION INCUJOSS MONITORING FUNCTIONAL TEST 
DURING PRESSURIZATION CYCLE FOR EVIDENCE CF ERRATIC OPERATION. (0) MO 
FAILURE HISTORY CONCERNING THIS FAILURE MODE. 
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“FIMDW7S RE75nnTOE imi' CHECIOIST 03-2F-1 31 31 0-4 
SUBSYSTEM Fwd. Reaction Control FMEA NUMBER SD75-SH-0016A 

ITEM Vernier Thruster FAILURE MODE Burn-Thru 


1.. DOES THE FLIGHT SOFTWARE DETECT THIS FAILURE MODE (i.e., AUTOMATICALLY 
• ANNUNCIATE OR TAKE ACTION IN RESPONSE)? 

la. IF NOT, DOES THE HARDWARE PROVIDE INFORMATION THAT THE FLIGHT SOFTWARE COULD 
USE TO DETECT THE FAILURE? 

2. ARE THE ANSWERS TO QUESTIONS 1 AND la CONSISTENT WITH THE FMEA EVALUATION OF 
IN-FLIGHT DETECTABILITY? " 

| 3. DOES THE FLIGHT SOFTWARE TAKE ACTION TO NEGATE THE EFFECTS OF THE FAILURE 

; (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE PROGRAM LOGIC)? 

3a. IF NOT, DOES THE CAPABILITY EXIST FOR THE SOFTWARE TO COMPENSATE FOR THIS 

I FAILURE MODE (EITHER BY COMMANDING HARDWARE ACTION OR IMPLEMENTING ALTERNATE 

PROGRAM LOGIC)? 

\ 4. AS A RESULT OF THIS FAILURE MODE, CAN THE SOFTWARE OVERSTRESS THE HARDWARE OR 
INDUCE ANOTHER FAILURE? 

j 5. CAN THIS FAILURE MODE, IN COMBINATION WITH SOFTWARE LOGIC, ADVERSELY AFFECT 
f OTHER FUNCTIONS? 

I 

i. 6. HOW MANY OF THESE HARDWARE FAILURES CAN THE SHUTTLE TOLERATE (CONSIDER CREW . 
ACTION AND HARDWARE/SOFTWARE OPERATION)? NOTE CHANGE TO FMEA CRITICALITY. 

£ 7. IF CREW ACTION IS REQUIRED TO RESPOND TO THIS FAILURE MODE, ARE CUES PROVIDED 
I TO SIGNAL THE NEED FOR INTERVENTION AND THE REQUIRED CORRECTIVE ACTION? 

j 8. IF THE ANSWER TO EITHER 1 OR 3 IS YES: 

j A. CAN THE BFS BE ENGAGED AFTER OCCURRENCE? 

' B. WILL BFS TOLERATE FAILURE WITHOUT LOSS OF CREW/VEHICLE? 

- * EXPLANATION REQUIRED (SEE BELOW) 


YES 

m 

NO 

□ 

*YES 

□ 

NO 

□ 

YES 

to 

*N0 

□ 

YES 

0 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*YES 

□ 

NO 

□ 

*0 [X] *1 

□ 

zD 


N/A [I]YES[X3;:on 

YES 0 *N0 □ 

YES O *N0 3 


| CHANGE; RETENTION RATIONALE SUHKARi 
■ 1 . □ NO H/S ISSUES 

l 2, Q3 HARDWARE ACCEPTS RISK 

t 

i 

\ 


3. Q NO SOFTWARE DETECTION 

4. □ DETECTION DURING CHECKOUT 


5. □ ACCEPTANCE RATIONALE BELOW 

6. □RECOMMENDED CHANGES BELOW 


□ FMEA CHANGE RECOMMENDED 


EXPLANATION/COHMENTS: 


I. The GN&C RM Program will automatically deselect a failed jet and issue an alert. 
Detectable in thrust chamber but not in nozzle. 


[ 6. This is a criticality 1 failure and cannot be tolerated. 

I 7. The thrust chamber pressures can be downlinked, 

| 8B. Same as primary. 


\ 


\ 

i 

i 
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shuttle failure mode and effects analysis 


ORB I TER iC 2 


UB SYSTEM :FWD - REACTION CONTROL 
SSBMELY : THRUSTER ASSY 
P/M R I : MC467— CC29 

P/N VENDOR: 

QUANTITY : 2 

: ONE REQ * D PER SIDE 
: ( DOWN FIRING) 


FM6A NO 
ABORT: 


03-2F —13151 0—4 

CM T. 
CK IT . 


REV: 12/08/7 s 


FUNC: 

hWD: 


1 

1 


FAILURE DETECTABLE IN 

MINOR LEAKAGE OR 

GROUND TURNAROUND?... 
VISUAL EXAMINATION 


FLIGHT?. YES 

INCIPIENT FAILURE 
YES 


MISSIONS: HF VF X FF 

PKASE(S): PL LQ 00 

NUMBER OF SUCCESS PATHS 
AFTER FIRST FAILURE: 
REDUNDANCY SCREEN: A-N/A 

TIME TO 


OF SM 
X DO lS 
REMAINING 


b-N/A 
EF FECT : 

SECONDS 

REFERENCE DOCUMENTS: 
MJC70-0CD1-C1B 
SD72— SH-01C3— 2 
VS70-421U01 


£ 

C-N/A 


PREPARED BY: 
DES 
REL 


j Taggart 
R DIEHL 


APPROVED 

DBS 

REL 


BY: 


ITEM: TBRUSTtP, VERNIER 
(EN 157/lbS). 

FUNCTION: 

TU PROVIDE THRUST FOR LOW LEVEL ACCELERATIONS ASSOCIATED WITH POINTING 
MANEUVERS AND THREE AXIS ATTITUDE HOLD. THRUSTER FIRES IN +2 DIRECTION 
FOR + PITCH AND -Z ACCELERATION. INCLUDES INLET VALVE, iNucCTOK, 

THRUST CHAMBER, NOZZLE EXTENSION, HEATER, INSULATION, PRESS/TfctfP 
XSDUCERS. 

FAILURE MODE: OV ERHE AT /B'JRNThRQUGH (F) 


CAUSE (S): 

Max PRESSURE SPIKES, SURFACE DEFECTS IN ThE PRUTECTIVb DISIL1CIDE 

coating fop chamber wall and vibration. 

EFFECT! S): CN (A) SUBSYSTEM (3 ) INT tRFACES (OMISSION (D) CREW/ VEHICLE: 
(A) LOSS OF VERNIER THRUSTER. (B) POTENTIAL DAMAGE. (C) F OTcMTl AL 
EARLY MISSION TERMINATION. (D) POTENTIAL LOSS OF VEHICLE. CRITICAL 
DAMAGE COULD OCCUR BEFORE FAILURE IS DETECTED. 

CORRECTING ACTION: 

ISOLATE FAILED THRUSTER AND USE OTHER ThRUSTERS.- 
REK ARKS/HAZARDS: 

POTENTIAL HAZARD FROM ESCAPING HOT GASES IN THE MODULE AN'J POTENTIAL 
PROPAGATION OF FAILURE IF NOT ISOLATED IN A TIMELY MANNER. 


no 



SHUTTLE CRITICAL ITEMS LIST - ORBITER 102 


SUBSYSTEM :FWD - REACTION CONTROL 
ASSEMBLY : THRUSTER ASSY 
P/N R I : MC467— 0029 

P/N VENDOR: 

QUANTITY :2 

: ONE REQ’D PER SIDE 
: ( DOWN FIRING) 


FMEA NO 03-2F -131310-4 
ABORT: 


MISSIONS: 
PHASE ( S ) : 


HF 

PL 


REV: 12/08/78 
CR IT » FUNC: 1 

CRIT « HOW: 1 

VF X FF OF SM 

LO 00 X DO LS 


REDUNDANCY SCREEN: A-N/A B-N/A C-N/A 


PREPARED BY: 

DES 

REL 


J TAGGART 
R DIEHL 



APPROV 
S SM 


ITEM: -THRUSTER, VERNIER 
(EN 157/1585. 
FUNCTION: 


APPRQVED/^BY: 

DES 

REL R 

PROVED WITH CHANG ES 
See Section 13.0 



. TO PROVIDE THRUST FOR LOW LEVEL ACCELERATIONS ASSOCIATED WITH POINTING 
MANEUVERS AND THREE AXIS ATTITUDE HOLD. THRUSTER FIRES IN +Z DIRECTION 
FOR + PITCH AND -2 ACCELERATION. INCLUDES INLET VALVE* INJECTOR, 

THRUST CHAMBER, NOZZLE EXTENSION, HEATER, INSULATION, PRESS/TEMP 
XSDUCERS. 

.FAILURE MODE: OVERHEAT/BURNTHROUGH (F) 


v 

..CAUSE! S): 

. MAX PRESSURE SPIKES, SURFACE DEFECTS IN THE PROTECTIVE DIS1LICIDE 
COATING FOR CHAMBER WALL AND VIBRATION. 

. EFFECT ( S 5 : ON ( A) SUBSYSTEM ( B ) INTERFACES (OMISSION ( D ) CREW/VEH ICLE: 

(A) LOSS OF VERNIER THRUSTER. (8) POTENTIAL DAMAGE. (C) POTENTIAL 
• EARLY MISSION TERMINATION. (D) POTENTIAL LOSS OF VEHICLE. CRITICAL 
DAMAGE COULD OCCUR BEFORE FAILURE IS DETECTED. 

.DISPOSITION £ RATIONALE ( A ) DESIGN ( B J TEST ( C 5 I NSP ECT ION { D) FAILURE HISTORY: 

. (A) INTERMETAL IC DIFFUSSION LAYER FORMS AN INTEGRAL BOND BETWEEN THE 

DISILICIDE COATING AND THE PARENT C0LUM8IU.M MATERIAL (C-103) AND TENDS 
TO RESIST SHOCK LOADING. (B) PRIDR TESTS CONDUCTED ON THE Rl-1 THRUSTER 
HAVE DEMONSTRATED THE ABILITY OF THE DISILICIDE COATING TO UTHSTAND 
IMPACT LEVELS AND THERMAL STRESSES PRODUCED BY TEMPERATURES IN EXCESS OF 
2900 DEGREES F. TORCH TESTS HAVE DEMONSTRATED THE INSENSITIVITY OF THE 
R512A COATING TO THERMAL SHOCK. (C) AUDIT CONDUCTED 9-2-76 VERIFIED 
THAT THE SUPPLIER INSPECTION CONTROLS RAH MAT 1 L» IDENTIFICATION OF PARTS 
MFG . PROCESSES, CORROSION PROTECTION , CONTAMI NAT ION CONTROL, AND 
FLOURESCENT PENETRANT INSPECTION PRIOR TO COATING TO DETECT SURFACE 
FLAWS AND X-RAY INSPECTION IS REQUIRED FOR DETECTION OF INTERNAL 
DEFECTS. COATING THICKNESS AND QUALITY IS CONTROLLED BY MPS 52 5 WHICH 
HILL REQUIRE CERTIFICATION THAT COATING PROCESS CONFORMS TO THE PROCESS 
SPECIFICATION, VISUAL INSPECTION, VERIFICATION OF COATING THICKNESS £ 
TEST TO VERIFY COATING INTEGRITY. TURNAROUND INSPECTION TO INCLUDE 
VISUAL INSPECTION FOR EVIDENCE OF BURN THROUGH AND WHERE ACCESSIBLE. 

USE OF FIBER OPTICS NDE TO INSPECT FOR SURFACE FLAWS. 

(0) NO FLIGHT FAILURE HISTORY. 
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Meeting. Minutes- 


Review of JSC 14651, Hardware/Software Interaction Analysis Volume VIII, 
Forward Reaction Control System Part 1 of 2. 


1. Meeting held at Rockwell International, Downey, 1:00PM to 2:30PM, 9/24/79. 

2. Attendees Organization Phone 

Edward Vonusa NASA X-1470 


Dave Latham JSC Reliability 527-0323 

(Boeing) FTS 

Rudy Kubica RI Propulsion/RCS ' X-4720 

Larry Gladu RI System Engineering X-1189 

Bill Meyers RI System Engineering X-1726 

Bob Diehl RI Reliability X-2098 


3. The following changes were discussed and will be incorporated in the 
final release of Forward Reaction Control System Hardware/Software Inter- 
action Analysis and will be reflected in next update of Fwd RCS FMEA: 


03-2F-101Q10-1 
03-2F -101013-1 
03-2F-1Q1020-3 
03-2F-101020-4 
03-2F-101 030-1 
03-2F-101030-2 
03-2F-101060-1 


Change "SMU" to "SM". Insert "SM Alert" before "blue light." 
Same as 03-2F-101010-1 . 

Same as 03-2F-101010-1 . 

Same as 03-2F-101010-1 . 

Add "X" in No. Block, question la. 

Add V42P1116C to Explanation 1. and 2. 

Show class 3 alarm with blue light and class 2 alarm with red 
light. Add V421116C. (Explanation 1.) 


03-2F -101060-2 
Q3-2F-101060-3 
03-2F-101060-4 
03-2F-101060-5 
03-2F-101070-1 


Add "X", No Block, question la. 

Same as 03-2F-1Q1060-1 . 

Same as 03-2F-101060-1 . 

Same as 03-2F-101060-1 . 

Under 1 & 2 Explanation, add V421113C, 1114C. Change class 
2 to 3.- 


03-2F-101030-1 : Change FMEA to show detectability method. 

03-2F-101090-1 : Under 1 & 2 Explanation, change V42P1110C, 1112C to 1113C, 

1114C. Change class 2 to 3. Add gross leakage detectability 
(see 03-2F-101080-1). 


A-l 



2 


03-2F-101095-2 : 

03-2F-102106-1 ; 

03-2F-1021Q8-1 : 
03-2F- 102120-1 : 
03-2F-102150-1 : 
03-2F -102170-1 : 
03-2F -111110-1 : 

03-2F-111110-2 : 
03-2F-111110-3 : 

03-2F-11111-4: 


03-2F-121308-1 : 

03-2F-121311-1 : 
03-2F-121312-1 : 

03-2F-121313-1 : 

03-2F-131310-3 : 


Change "X" from Yes Block to No Block, questionl. Under 
Explanation, delete 1 & 2 (failure is one leg only- requires 
failure of both legs to actuate C & W). 

Under 1 Explanation, - add gross leakage detectability (see 
03-2F-101080-1 ) . Under 7 Explanation and FMEA change add 
V42P1115C. Change FMEA to show detectability. 

Under 1 Explanation, add gross leakage detectability (see 
03-2F-1 01 080-1) Under 7 Explanation add V42P1115C. 

Under 1 Explanation, add oxidiser measurement numbers, and 
add' "failed off thruster will give "failed jet on C & W"/ 

Same as 03-2F-102120-1 plus retain V42P1312C and delete 
1313C and 1314C. 

Under 1 Explanation, add measurements V42X1333X, 1233X. 

Change class 2 to 3. 

Under i Explanation, add V42P1210C, 1212C, 1216C and add to 
t'o FMEA detectability. Add X in FMEA change recommended 
block. 

Same as 03-2F-111110-1 . 

Under 1 Explanation, add gross leakage detectability (see 
03-2F-101080-1 ) 

Change X from No Block to Yes block for question 1. Under 
Explanation, delete 1st paragraph and 1. (White Sands Test 
on vernier showed complete loss chamber pressure which is 
detectable. Similar gas bubbles in propellant tests are 
planned for primary thrusters) . 

Under 1 Explanation, the class 3 alarm is doubtful. Check 
and verify findings with Bill Meyers RI Systems Engineering. 

Also add gross leakage detectability (see 03-2F-101080-1) . 

Change Failure Mode to agree with failure mode in FMEA. 

Under 1 Explanation, add "If failure is upstream of throat 
it will be detected by PC; if failure is downstream of throat 
it will not be detected." 

Change X from Yes Block to No Block, question 1. Delete 1. 
under Explanation (failure is downstream of throat and will 
not be detected by PC) . 

Change X from Yes Block to No Block, question 1. Add X to 
FMEA change recommended block. Under 1. Explanation, delete 
entire sentence (the pressure transducers are snubbed by an ori- 
fice and will not detect the erratic operation). Change Ft-® A 
to indicate no detectability. 
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